diff --git a/0001-2155-Use-reference-in-loop-in-listpodsandbox.patch b/0001-2155-Use-reference-in-loop-in-listpodsandbox.patch new file mode 100644 index 0000000000000000000000000000000000000000..78f58130599ca96fcd9e7c65b2519873566bcd6f --- /dev/null +++ b/0001-2155-Use-reference-in-loop-in-listpodsandbox.patch @@ -0,0 +1,26 @@ +From 8dacc4a2740ed3ba99fab88324c50fa37274297d Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Tue, 29 Aug 2023 11:50:52 +0000 +Subject: [PATCH 01/32] !2155 Use reference in loop in listpodsandbox * Use + reference in loop in listpodsandbox + +--- + src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index 33b700f3..687f4e6d 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -739,7 +739,7 @@ void PodSandboxManagerService::ListPodSandbox(const runtime::v1::PodSandboxFilte + + sandbox::SandboxManager::GetInstance()->ListAllSandboxes(filter, sandboxes); + +- for (const auto sandbox : sandboxes) { ++ for (const auto &sandbox : sandboxes) { + std::unique_ptr pod(new runtime::v1::PodSandbox); + + pod->set_id(sandbox->GetId()); +-- +2.25.1 + diff --git a/0001-convert-files-from-CRLF-to-LF.patch b/0001-convert-files-from-CRLF-to-LF.patch deleted file mode 100644 index 1f496e45c25bf29b9296e74d3c67eebad064279b..0000000000000000000000000000000000000000 --- a/0001-convert-files-from-CRLF-to-LF.patch +++ /dev/null @@ -1,1942 +0,0 @@ -From 634671cf7ac001bc64853375c5d77016966b6c09 Mon Sep 17 00:00:00 2001 -From: zhangxiaoyu -Date: Fri, 12 May 2023 09:58:09 +0800 -Subject: [PATCH 1/9] convert files from CRLF to LF - -Signed-off-by: zhangxiaoyu ---- - README_zh.md | 462 ++++++++-------- - docs/design/architecture.md | 86 +-- - docs/design/architecture_zh.md | 82 +-- - .../design/detailed/CRI/k8s125_New_Add_CRI.md | 324 ++++++------ - docs/design/detailed/Container/state_check.md | 494 +++++++++--------- - docs/manual/k8s_integration_zh.md | 428 +++++++-------- - test/image/oci/registry/data/v2/ping_head | 4 +- - 7 files changed, 940 insertions(+), 940 deletions(-) - -diff --git a/README_zh.md b/README_zh.md -index 4d4e1401..72942765 100755 ---- a/README_zh.md -+++ b/README_zh.md -@@ -1,232 +1,232 @@ --- [English version](README.md) -- --iSulad -- -- ![license](https://img.shields.io/badge/license-Mulan%20PSL%20v2-blue) ![language](https://img.shields.io/badge/language-C%2FC%2B%2B-blue) -- --## Introduction -- --`iSulad`是一个由C/C++编写实现的轻量级容器引擎,具有轻、灵、巧、快的特点,不受硬件规格和架构限制,底噪开销更小,可应用的领域更为广泛。 -- --## Architecture -- --`iSulad`架构的相关介绍请查看:[architecture](./docs/design/architecture_zh.md)。 -- --## Function -- --### Runtime -- --`iSulad`支持多种容器runtime,包括lxc、runc和kata。 -- --#### lxc -- --lxc是用C语言编写的开源容器操作runtime,资源占用少,适用于对底噪资源限制高的场景,为iSulad默认的runtime。 -- --#### runc -- --runc是用GO语言编写的符合OCI标准的runtime,使用runc时要求其使用的OCI runtime-spec version不低于iSulad支持的oci spec version 1.0.0。 -- --#### kata-runtime -- --kata-runtime是一个安全容器runtime,用于启动安全容器时使用。 -- --### Image -- --`iSulad`支持多种镜像格式,包括OCI标准镜像格式、external rootfs镜像格式和embedded image镜像格式。 -- --#### OCI -- --OCI标准镜像格式是与docker兼容的镜像格式,支持从远程镜像仓库拉取镜像、运行容器。 -- --#### external rootfs -- --external rootfs镜像格式允许用户自行准备可启动的`root fs`目录,主要用于系统容器场景。 -- --#### embedded image -- --embedded image镜像格式是`iSulad`特有的嵌入式镜像格式,占用资源低,主要用于嵌入式应用场景。 -- --### Operation Interface -- --`iSulad`提供两种不同的镜像和容器管理操作接口,分别为CLI和CRI。 -- --#### CLI -- --CLI采用命令行的形式进行镜像和容器管理,是标准的C/S架构模式,将iSulad作为daemon服务端,iSula作为独立的客户端命令,供用户使用。 -- --iSula提供的命令参数覆盖了常用的大部分应用场景,包括容器的操作接口,如运行、停止、删除、pause等操作,也包括镜像的相关操作,如下载、导入、删除等。 -- --#### CRI -- --CRI(Container Runtime Interface)是由K8S对外提供的容器和镜像的服务接口,供容器引擎接入K8s。 -- --CRI接口基于gRPC实现。iSulad遵循CRI接口规范,实现 CRI gRPC Server,CRI gRPC Server 中包括 Runtime Service 和 image Service,分别用来提供容器运行时接口和镜像操作接口。iSulad的 gRPC Server 需要监听本地的Unix socket,而K8s的组件 kubelet 则作为 gRPC Client 运行。 -- --## Getting Started -- --- [用法指南:openeuler官方手册](https://docs.openeuler.org/zh/docs/22.03_LTS/docs/Container/container.html) -- --- [开发指南](./docs/build_docs/README_zh.md) -- --- [用户手册](./docs/manual/README_zh.md) -- --- [设计文档](./docs/design/README_zh.md) -- --### Installing -- --`iSulad`可以使用`yum`命令进行安装,安装之前需要查看确保配置了openEuler仓库: -- --```shell --$ cat << EOF > /etc/yum.repos.d/openEuler.repo --[openEuler] --baseurl=https://repo.openeuler.org/openEuler-22.03-LTS/OS/\$basearch --enabled=1 --EOF --``` -- --用`yum`安装`iSulad`的命令如下: -- --```shell --$ yum install -y iSulad --``` -- --若运行安装命令后报如下错误: -- --```txt --Repository 'openEuler' is missing name in configuration, using id. -- --You have enabled checking of packages via GPG keys. This is a good thing. --However, you do not have any GPG public keys installed. You need to download --the keys for packages you wish to install and install them. --You can do that by running the command: -- rpm --import public.gpg.key -- -- --Alternatively you can specify the url to the key you would like to use --for a repository in the 'gpgkey' option in a repository section and YUM --will install it for you. -- --For more information contact your distribution or package provider. --``` -- --则需要先运行`rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-openEuler`。 -- --### Configure -- --成功安装`iSulad`之后,需要先配置好容器镜像的注册地址,以"docker.io"为例: -- --```shell --# cat /etc/isulad/daemon.json --..... -- "registry-mirrors": [ -- "docker.io" -- ], --..... --``` -- --### Run -- --`iSulad`提供了两种服务的启动方式: -- --1. 使用`systemd`服务来启动`iSulad` -- --```shell --# 通过systemd命令来重启isulad服务 --$ systemctl restart isulad --``` -- --2. 直接使用命令启动`iSulad` -- --```shell --# 使用默认套接字名称、默认日志级别和镜像管理功能启动isulad --$ sudo isulad --``` -- --### Operations on containers -- --`iSulad` 提供了两个管理镜像和容器的操作接口:CLI和CRI。 -- --#### **CLI** -- --`iSulad`使用 `iSula` 作为客户端命令,以下是利用CLI接口管理容器的一些基本命令: -- --- 列出当前环境下的所有容器: -- --```shell --$ sudo isula ps -a --``` -- --- 通过`busybox`镜像创建容器: -- -- - 采用默认的runtime创建容器`test` -- -- ```sh -- $ sudo isula create -t -n test busybox -- ``` -- -- - 创建**runtime为runc**的容器`testrunc` -- -- ```sh -- $ sudo isula create -t --runtime runc -n testrunc busybox -- ``` -- -- --- 启动容器`test`: -- --```shell --$ sudo isula start test --``` -- --- 停止容器`test`: -- --```shell --$ sudo isula kill test --``` -- --- 移除容器`test` -- --```shell --$ sudo isula rm test --``` -- --#### CRI -- --`iSulad`可以通过CRI接口与kubernetes集成,如何与kubernetes集成请参考[k8s_integration](./docs/manual/k8s_integration_zh.md)。 -- --## Performance -- --采用[ptcr](https://gitee.com/openeuler/ptcr)作为容器引擎的性能测试工具,展示在不同架构的计算机中`iSulad`的性能效果。 -- --### ARM -- --- 10个容器串行操作的情况下,`iSula`与`docker`、`podman`的性能对比雷达图如下: -- --ARM searially -- --- 100个容器并行操作的情况下,`iSula`与`docker`、`podman`的性能对比雷达图如下: -- --ARM parallerlly -- --### X86 -- --- 10个容器串行操作的情况下,`iSula`与`docker`、`podman`的性能对比雷达图如下: -- --X86 searially -- --- 100个容器并行操作的情况下,`iSula`与`docker`、`podman`的性能对比雷达图如下: -- --X86 parallerlly -- --**关于性能测试的更多信息请查看** [Performance test](https://gitee.com/openeuler/iSulad/wikis/Performance?sort_id=5449355)。 -- --## Kernel Requirements -- --`iSulad`支持在3.0.x之后的Kernel上运行。 -- --## Compatibility -- --`iSulad` 能够兼容的标准规范版本如下: -- --- 兼容 1.0.0 版本的OCI --- 兼容 0.3.0 版本以上的CNI -+- [English version](README.md) -+ -+iSulad -+ -+ ![license](https://img.shields.io/badge/license-Mulan%20PSL%20v2-blue) ![language](https://img.shields.io/badge/language-C%2FC%2B%2B-blue) -+ -+## Introduction -+ -+`iSulad`是一个由C/C++编写实现的轻量级容器引擎,具有轻、灵、巧、快的特点,不受硬件规格和架构限制,底噪开销更小,可应用的领域更为广泛。 -+ -+## Architecture -+ -+`iSulad`架构的相关介绍请查看:[architecture](./docs/design/architecture_zh.md)。 -+ -+## Function -+ -+### Runtime -+ -+`iSulad`支持多种容器runtime,包括lxc、runc和kata。 -+ -+#### lxc -+ -+lxc是用C语言编写的开源容器操作runtime,资源占用少,适用于对底噪资源限制高的场景,为iSulad默认的runtime。 -+ -+#### runc -+ -+runc是用GO语言编写的符合OCI标准的runtime,使用runc时要求其使用的OCI runtime-spec version不低于iSulad支持的oci spec version 1.0.0。 -+ -+#### kata-runtime -+ -+kata-runtime是一个安全容器runtime,用于启动安全容器时使用。 -+ -+### Image -+ -+`iSulad`支持多种镜像格式,包括OCI标准镜像格式、external rootfs镜像格式和embedded image镜像格式。 -+ -+#### OCI -+ -+OCI标准镜像格式是与docker兼容的镜像格式,支持从远程镜像仓库拉取镜像、运行容器。 -+ -+#### external rootfs -+ -+external rootfs镜像格式允许用户自行准备可启动的`root fs`目录,主要用于系统容器场景。 -+ -+#### embedded image -+ -+embedded image镜像格式是`iSulad`特有的嵌入式镜像格式,占用资源低,主要用于嵌入式应用场景。 -+ -+### Operation Interface -+ -+`iSulad`提供两种不同的镜像和容器管理操作接口,分别为CLI和CRI。 -+ -+#### CLI -+ -+CLI采用命令行的形式进行镜像和容器管理,是标准的C/S架构模式,将iSulad作为daemon服务端,iSula作为独立的客户端命令,供用户使用。 -+ -+iSula提供的命令参数覆盖了常用的大部分应用场景,包括容器的操作接口,如运行、停止、删除、pause等操作,也包括镜像的相关操作,如下载、导入、删除等。 -+ -+#### CRI -+ -+CRI(Container Runtime Interface)是由K8S对外提供的容器和镜像的服务接口,供容器引擎接入K8s。 -+ -+CRI接口基于gRPC实现。iSulad遵循CRI接口规范,实现 CRI gRPC Server,CRI gRPC Server 中包括 Runtime Service 和 image Service,分别用来提供容器运行时接口和镜像操作接口。iSulad的 gRPC Server 需要监听本地的Unix socket,而K8s的组件 kubelet 则作为 gRPC Client 运行。 -+ -+## Getting Started -+ -+- [用法指南:openeuler官方手册](https://docs.openeuler.org/zh/docs/22.03_LTS/docs/Container/container.html) -+ -+- [开发指南](./docs/build_docs/README_zh.md) -+ -+- [用户手册](./docs/manual/README_zh.md) -+ -+- [设计文档](./docs/design/README_zh.md) -+ -+### Installing -+ -+`iSulad`可以使用`yum`命令进行安装,安装之前需要查看确保配置了openEuler仓库: -+ -+```shell -+$ cat << EOF > /etc/yum.repos.d/openEuler.repo -+[openEuler] -+baseurl=https://repo.openeuler.org/openEuler-22.03-LTS/OS/\$basearch -+enabled=1 -+EOF -+``` -+ -+用`yum`安装`iSulad`的命令如下: -+ -+```shell -+$ yum install -y iSulad -+``` -+ -+若运行安装命令后报如下错误: -+ -+```txt -+Repository 'openEuler' is missing name in configuration, using id. -+ -+You have enabled checking of packages via GPG keys. This is a good thing. -+However, you do not have any GPG public keys installed. You need to download -+the keys for packages you wish to install and install them. -+You can do that by running the command: -+ rpm --import public.gpg.key -+ -+ -+Alternatively you can specify the url to the key you would like to use -+for a repository in the 'gpgkey' option in a repository section and YUM -+will install it for you. -+ -+For more information contact your distribution or package provider. -+``` -+ -+则需要先运行`rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-openEuler`。 -+ -+### Configure -+ -+成功安装`iSulad`之后,需要先配置好容器镜像的注册地址,以"docker.io"为例: -+ -+```shell -+# cat /etc/isulad/daemon.json -+..... -+ "registry-mirrors": [ -+ "docker.io" -+ ], -+..... -+``` -+ -+### Run -+ -+`iSulad`提供了两种服务的启动方式: -+ -+1. 使用`systemd`服务来启动`iSulad` -+ -+```shell -+# 通过systemd命令来重启isulad服务 -+$ systemctl restart isulad -+``` -+ -+2. 直接使用命令启动`iSulad` -+ -+```shell -+# 使用默认套接字名称、默认日志级别和镜像管理功能启动isulad -+$ sudo isulad -+``` -+ -+### Operations on containers -+ -+`iSulad` 提供了两个管理镜像和容器的操作接口:CLI和CRI。 -+ -+#### **CLI** -+ -+`iSulad`使用 `iSula` 作为客户端命令,以下是利用CLI接口管理容器的一些基本命令: -+ -+- 列出当前环境下的所有容器: -+ -+```shell -+$ sudo isula ps -a -+``` -+ -+- 通过`busybox`镜像创建容器: -+ -+ - 采用默认的runtime创建容器`test` -+ -+ ```sh -+ $ sudo isula create -t -n test busybox -+ ``` -+ -+ - 创建**runtime为runc**的容器`testrunc` -+ -+ ```sh -+ $ sudo isula create -t --runtime runc -n testrunc busybox -+ ``` -+ -+ -+- 启动容器`test`: -+ -+```shell -+$ sudo isula start test -+``` -+ -+- 停止容器`test`: -+ -+```shell -+$ sudo isula kill test -+``` -+ -+- 移除容器`test` -+ -+```shell -+$ sudo isula rm test -+``` -+ -+#### CRI -+ -+`iSulad`可以通过CRI接口与kubernetes集成,如何与kubernetes集成请参考[k8s_integration](./docs/manual/k8s_integration_zh.md)。 -+ -+## Performance -+ -+采用[ptcr](https://gitee.com/openeuler/ptcr)作为容器引擎的性能测试工具,展示在不同架构的计算机中`iSulad`的性能效果。 -+ -+### ARM -+ -+- 10个容器串行操作的情况下,`iSula`与`docker`、`podman`的性能对比雷达图如下: -+ -+ARM searially -+ -+- 100个容器并行操作的情况下,`iSula`与`docker`、`podman`的性能对比雷达图如下: -+ -+ARM parallerlly -+ -+### X86 -+ -+- 10个容器串行操作的情况下,`iSula`与`docker`、`podman`的性能对比雷达图如下: -+ -+X86 searially -+ -+- 100个容器并行操作的情况下,`iSula`与`docker`、`podman`的性能对比雷达图如下: -+ -+X86 parallerlly -+ -+**关于性能测试的更多信息请查看** [Performance test](https://gitee.com/openeuler/iSulad/wikis/Performance?sort_id=5449355)。 -+ -+## Kernel Requirements -+ -+`iSulad`支持在3.0.x之后的Kernel上运行。 -+ -+## Compatibility -+ -+`iSulad` 能够兼容的标准规范版本如下: -+ -+- 兼容 1.0.0 版本的OCI -+- 兼容 0.3.0 版本以上的CNI - - 兼容 2.1.x 版本以上的lcr -\ No newline at end of file -diff --git a/docs/design/architecture.md b/docs/design/architecture.md -index 7487616d..0c4d1dea 100644 ---- a/docs/design/architecture.md -+++ b/docs/design/architecture.md -@@ -1,43 +1,43 @@ --# iSulad Architecture -- --## Overview -- --![architecture](../images/arch.jpg) -- --iSulad is an OCI-compliant container runtime engine that emphasizes simplicity, robustness, performance and lightweight. -- --As a daemon process, it manages the entire container life cycle of the host system, including image transmission and storage, container execution and monitoring management, container resource management, and network management. iSulad provides Docker-like CLI for users. -- --You can use Docker-like commands to manage container images and iSulad provides gRPC APIs which comply with the CRI standard for Kubernetes. -- --iSulad is divided into different modules, and the modules are organized into subsystems. Understanding these modules, subsystems, and their relationships is important to modify and extend iSulad. -- --This document describes the high-level system architecture design. For more information about each module, please refer to the relevant design documents. -- --## Subsystem -- --You can interact with the iSulad by invoking gRPC APIs exported by the subsystem. -- --- **image service** : Image management service, provides image-related operations, such as image download, query, and deletion. --- **execution service**: Container life cycle management service, provides container-related operations, such as container creation, startup, and deletion. --- **network**:The network subsystem is responsible for network management capabilities of the pod of the CRI. When a pod is started, the pod is added to the network plane specified in the configuration file through the CNI interface. When a pod is stopped, the CNI API is used to remove the pod from the network plane where the pod is located and clear related network resources. -- --## Module -- --- **image content** : Managing Image Metadata and Container File Systems -- --- **resource manage**: Container resource management module, for example, setting available CPU and memory resource limits -- --- **Executor**:Runtime for executing actual container operations. The LCR acts as the default runtime and can be extended through the plug-in mechanism. -- --- **Events**:Container event collection module -- --- **Plugins**:Provides the plugin mechanism to extend container capabilities through different plugins. -- --- **HA**:This module provides fault locating and garbage collection service. -- --### Network architecture design -- --The figure shows the architecture: -- --![CNI_architecture](../images/CNI_architecture.png) -+# iSulad Architecture -+ -+## Overview -+ -+![architecture](../images/arch.jpg) -+ -+iSulad is an OCI-compliant container runtime engine that emphasizes simplicity, robustness, performance and lightweight. -+ -+As a daemon process, it manages the entire container life cycle of the host system, including image transmission and storage, container execution and monitoring management, container resource management, and network management. iSulad provides Docker-like CLI for users. -+ -+You can use Docker-like commands to manage container images and iSulad provides gRPC APIs which comply with the CRI standard for Kubernetes. -+ -+iSulad is divided into different modules, and the modules are organized into subsystems. Understanding these modules, subsystems, and their relationships is important to modify and extend iSulad. -+ -+This document describes the high-level system architecture design. For more information about each module, please refer to the relevant design documents. -+ -+## Subsystem -+ -+You can interact with the iSulad by invoking gRPC APIs exported by the subsystem. -+ -+- **image service** : Image management service, provides image-related operations, such as image download, query, and deletion. -+- **execution service**: Container life cycle management service, provides container-related operations, such as container creation, startup, and deletion. -+- **network**:The network subsystem is responsible for network management capabilities of the pod of the CRI. When a pod is started, the pod is added to the network plane specified in the configuration file through the CNI interface. When a pod is stopped, the CNI API is used to remove the pod from the network plane where the pod is located and clear related network resources. -+ -+## Module -+ -+- **image content** : Managing Image Metadata and Container File Systems -+ -+- **resource manage**: Container resource management module, for example, setting available CPU and memory resource limits -+ -+- **Executor**:Runtime for executing actual container operations. The LCR acts as the default runtime and can be extended through the plug-in mechanism. -+ -+- **Events**:Container event collection module -+ -+- **Plugins**:Provides the plugin mechanism to extend container capabilities through different plugins. -+ -+- **HA**:This module provides fault locating and garbage collection service. -+ -+### Network architecture design -+ -+The figure shows the architecture: -+ -+![CNI_architecture](../images/CNI_architecture.png) -diff --git a/docs/design/architecture_zh.md b/docs/design/architecture_zh.md -index 288bbfe4..d036bb56 100644 ---- a/docs/design/architecture_zh.md -+++ b/docs/design/architecture_zh.md -@@ -1,41 +1,41 @@ --# iSulad Architecture -- --## Overview -- --![architecture](../images/arch.jpg) -- --iSulad是一个基于OCI标准的容器运行引擎,强调简单性、健壮性和轻量化。 -- --作为守护进程,iSulad提供容器生命周期管理相关服务:包括镜像的传输和存储、容器执行和监控管理、容器资源管理以及网络等。iSulad对外提供与docker类似的CLI命令行接口,可使用该命令行进行容器管理;并且提供符合CRI接口标准的gRPC API,可供kubernetes 按照CRI接口协议调用。 -- --为了方便理解,我们将iSulad分成不同的模块,并根据模块的类别组织成子系统。了解这些模块、子系统及其关系是修改和扩展iSulad的关键 -- --本文档将仅描述各个模块的high-level功能设计。有关每个模块的详细信息,请参阅相关设计文档。 -- --## 子系统 -- --用户可通过调用子系统提供的GRPC API与iSulad进行交互。 -- --- **image service** : 镜像管理服务,提供镜像相关操作,如镜像下载、查询、删除等 --- **execution service**: 容器生命周期管理服务,提供容器的相关操作,如容器创建、启动、删除等 --- **network**:网络子模块负责CRI的Pod的网络管理能力。当Pod启动时,通过CNI的接口把该Pod加入到配置文件制定的网络平面中;当Pod停止时,通过CNI的接口把该Pod从所在的网络平面中退出,并且清理相关的网络资源。 -- --## 模块 -- --- **image content** : 管理镜像元数据以及容器文件系统。 -- --- **resource manage**: 容器资源管理,如设置可用cpu、memory等资源限制 -- --- **Executor**:执行实际容器操作的runtime,提供lcr作为默认runtime,可通过plugin机制扩展 -- --- **Events**:容器事件收集 -- --- **Plugins**:提供插件机制,通过不同插件,实现扩展容器功能。 -- --- **HA**:提供日志机制用于定位问题,提供garbage collect 机制回收容器D/Z 等异常容器资源。 -- --### 网络架构设计 -- --架构图,如下: -- --![CNI_architecture](../images/CNI_architecture.png) -+# iSulad Architecture -+ -+## Overview -+ -+![architecture](../images/arch.jpg) -+ -+iSulad是一个基于OCI标准的容器运行引擎,强调简单性、健壮性和轻量化。 -+ -+作为守护进程,iSulad提供容器生命周期管理相关服务:包括镜像的传输和存储、容器执行和监控管理、容器资源管理以及网络等。iSulad对外提供与docker类似的CLI命令行接口,可使用该命令行进行容器管理;并且提供符合CRI接口标准的gRPC API,可供kubernetes 按照CRI接口协议调用。 -+ -+为了方便理解,我们将iSulad分成不同的模块,并根据模块的类别组织成子系统。了解这些模块、子系统及其关系是修改和扩展iSulad的关键 -+ -+本文档将仅描述各个模块的high-level功能设计。有关每个模块的详细信息,请参阅相关设计文档。 -+ -+## 子系统 -+ -+用户可通过调用子系统提供的GRPC API与iSulad进行交互。 -+ -+- **image service** : 镜像管理服务,提供镜像相关操作,如镜像下载、查询、删除等 -+- **execution service**: 容器生命周期管理服务,提供容器的相关操作,如容器创建、启动、删除等 -+- **network**:网络子模块负责CRI的Pod的网络管理能力。当Pod启动时,通过CNI的接口把该Pod加入到配置文件制定的网络平面中;当Pod停止时,通过CNI的接口把该Pod从所在的网络平面中退出,并且清理相关的网络资源。 -+ -+## 模块 -+ -+- **image content** : 管理镜像元数据以及容器文件系统。 -+ -+- **resource manage**: 容器资源管理,如设置可用cpu、memory等资源限制 -+ -+- **Executor**:执行实际容器操作的runtime,提供lcr作为默认runtime,可通过plugin机制扩展 -+ -+- **Events**:容器事件收集 -+ -+- **Plugins**:提供插件机制,通过不同插件,实现扩展容器功能。 -+ -+- **HA**:提供日志机制用于定位问题,提供garbage collect 机制回收容器D/Z 等异常容器资源。 -+ -+### 网络架构设计 -+ -+架构图,如下: -+ -+![CNI_architecture](../images/CNI_architecture.png) -diff --git a/docs/design/detailed/CRI/k8s125_New_Add_CRI.md b/docs/design/detailed/CRI/k8s125_New_Add_CRI.md -index aa8a9e17..1adf3e73 100644 ---- a/docs/design/detailed/CRI/k8s125_New_Add_CRI.md -+++ b/docs/design/detailed/CRI/k8s125_New_Add_CRI.md -@@ -1,162 +1,162 @@ --# 章节一:CRI接口升级背景及版本 --背景:当前iSulad CRI接口版本采用的K8s 1.15版本,升级至k8s1.25,CRI接口需要对升级后的新增CRI字段进行补充。 -- --版本:升级至k8s1.25。 --# 章节二:新增功能 -- --## 1、Image -- --### 1.1、ListImages -- void ListImages(const runtime::v1alpha2::ImageFilter &filter, -- std::vector> *images, Errors &error) override;" -- --**新增CRI字段** -- --ImageFilter里面的ImageSpec新增 map annotations = 2。 --Image中新增ImageSpec spec = 7;bool pinned = 8;ImageSpec里面新增 map annotations = 2。 --### 1.2、ImageStatus -- std::unique_ptr ImageStatus(construntime::v1alpha2::ImageSpec &image,Errors &error) override; -- --**新增CRI字段** -- --Image中新增ImageSpec spec = 7;bool pinned = 8;ImageSpec里面新增 map annotations = 2; --### 1.3、PullImage -- std::string PullImage(const runtime::v1alpha2::ImageSpec &image, const runtime::v1alpha2::AuthConfig &auth,Errors &error) override; -- --**新增CRI字段** -- --ImageSpec里面新增 map annotations = 2;AuthConfig 无新增 --### 1.4、RemoveImage -- void RemoveImage(const runtime::v1alpha2::ImageSpec &image, Errors &error) override; -- --**新增CRI字段** -- --ImageSpec里面新增 map annotations = 2; --### 1.5、ImageFsInfo --无新增CRI字段 --## 2、POD --### 2.1、RunPodSandbox -- auto RunPodSandbox(const runtime::v1alpha2::PodSandboxConfig &config, const std::string &runtimeHandler,Errors &error) -> std::string; -- --**新增CRI字段** -- --1、新增WindowsPodSandboxConfig windows = 9; -- --2、原有LinuxPodSandboxConfig中新增LinuxContainerResources overhead = 4;LinuxContainerResources resources = 5; -- --3、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中新增新增SecurityProfile seccomp = 9;SecurityProfile apparmor = 10; -- --4、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -- --5、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中原有NamespaceOption原有中NamespaceMode新增TARGET --### 2.2、StopPodSandbox -- void StopPodSandbox(const std::string &podSandboxID, Errors &error); -- --**新增CRI字段** -- --1、原有PodSandboxNetworkStatus中新增repeated PodIP additional_ips = 2; -- --2、原有LinuxPodSandboxStatus中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -- --3、原有LinuxPodSandboxStatus中原有NamespaceOption中原有中NamespaceMode新增TARGET --### 2.3、RemovePodSandbox --无新增CRI字段 --### 2.4、PodSandboxStatus -- auto PodSandboxStatus(const std::string &podSandboxID, Errors &error) -- -> std::unique_ptr; -- --**新增CRI字段** -- --1、原有PodSandboxNetworkStatus中新增repeated PodIP additional_ips = 2; -- --2、原有LinuxPodSandboxStatus中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -- --3、原有LinuxPodSandboxStatus中原有NamespaceOption中原有中NamespaceMode新增TARGET --### 2.5、ListPodSandbox --无新增CRI字段 --### 2.6、PortForward --该函数未实现 --## 3、Container --### 3.1、CreateContainer -- auto CreateContainer(const std::string &podSandboxID, const runtime::v1alpha2::ContainerConfig &containerConfig, -- const runtime::v1alpha2::PodSandboxConfig &podSandboxConfig, Errors &error) -> std::string; --**新增CRI字段1** -- --1、原有ImageSpec中新增map annotations = 2; -- --2、原有LinuxContainerConfig中原有LinuxContainerResources新增repeated HugepageLimit hugepage_limits = 8;map unified = 9;int64 memory_swap_limit_in_bytes = 10; -- --3、原有LinuxContainerConfig中原有LinuxContainerSecurityContext新增SecurityProfile seccomp = 15;SecurityProfile apparmor = 16; -- --4、原有LinuxContainerConfig中原有LinuxContainerSecurityContext中原有Capability新增repeated string add_ambient_capabilities = 3; -- --5、原有LinuxContainerConfig中原有LinuxContainerSecurityContext中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -- --6、原有LinuxContainerConfig中原有LinuxContainerSecurityContext中原有NamespaceOption中原有NamespaceMode新增TARGET -- --7、原有WindowsContainerConfig中原有WindowsContainerResources新增int64 rootfs_size_in_bytes = 5; -- --8、原有WindowsContainerConfig中原有WindowsContainerSecurityContext新增bool host_process = 3; -- --**新增CRI字段2** -- --1、新增WindowsPodSandboxConfig windows = 9; -- --2、原有LinuxPodSandboxConfig中新增LinuxContainerResources overhead = 4;LinuxContainerResources resources = 5 -- --3、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中新增新增SecurityProfile seccomp = 9;SecurityProfile apparmor = 10; -- --4、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -- --5、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中原有NamespaceOption原有中NamespaceMode新增TARGET --### 3.2、StartContainer --无新增CRI字段 --### 3.3、StopContainer --无新增CRI字段 --### 3.4、RemoveContainer --无新增CRI字段 --### 3.5、ListContainers -- void ListContainers(const runtime::v1alpha2::ContainerFilter *filter, -- std::vector> *containers, Errors &error); -- --**新增CRI字段** -- --Container中原有ImageSpec新增 map annotations = 2; --### 3.6、ListContainerStats -- void ListContainerStats(const runtime::v1alpha2::ContainerStatsFilter *filter, -- std::vector> *containerstats, -- Errors &error); -- --**新增CRI字段** -- --ContainerStatsFilter无新增CRI字段,ContainerStats中新增字段如下: -- --1、原有MemoryUsage新增UInt64Value available_bytes = 3;UInt64Value usage_bytes = 4; UInt64Value rss_bytes = 5;UInt64Value page_faults = 6;UInt64Value major_page_faults = 7; -- --2、原有CpuUsage新增UInt64Value usage_nano_cores = 3; --## 3.7、ContainerStatus -- auto ContainerStatus(const std::string &containerID, Errors &error) -- -> std::unique_ptr; -- --**新增CRI字段** -- --ContainerStatus中新增字段ContainerResources resources = 16; --### 3.8、UpdateContainerResources -- void UpdateContainerResources(const std::string &containerID,const runtime::v1alpha2::LinuxContainerResources &resources, Errors &error) -- --**新增CRI字段** -- --LinuxContainerResources中新增字段repeated HugepageLimit hugepage_limits = 8;map unified = 9;int64 memory_swap_limit_in_bytes = 10; -- --### 3.9、UpdateRuntimeConfig --无新增CRI字段 --### 3.10、Status --无新增CRI字段 --### 3.11、Version --无新增CRI字段 --### 3.12、ExecSync --无新增CRI字段 --### 3.13、Exec --无新增CRI字段 --### 3.14、Attach --无新增CRI字段 -+# 章节一:CRI接口升级背景及版本 -+背景:当前iSulad CRI接口版本采用的K8s 1.15版本,升级至k8s1.25,CRI接口需要对升级后的新增CRI字段进行补充。 -+ -+版本:升级至k8s1.25。 -+# 章节二:新增功能 -+ -+## 1、Image -+ -+### 1.1、ListImages -+ void ListImages(const runtime::v1alpha2::ImageFilter &filter, -+ std::vector> *images, Errors &error) override;" -+ -+**新增CRI字段** -+ -+ImageFilter里面的ImageSpec新增 map annotations = 2。 -+Image中新增ImageSpec spec = 7;bool pinned = 8;ImageSpec里面新增 map annotations = 2。 -+### 1.2、ImageStatus -+ std::unique_ptr ImageStatus(construntime::v1alpha2::ImageSpec &image,Errors &error) override; -+ -+**新增CRI字段** -+ -+Image中新增ImageSpec spec = 7;bool pinned = 8;ImageSpec里面新增 map annotations = 2; -+### 1.3、PullImage -+ std::string PullImage(const runtime::v1alpha2::ImageSpec &image, const runtime::v1alpha2::AuthConfig &auth,Errors &error) override; -+ -+**新增CRI字段** -+ -+ImageSpec里面新增 map annotations = 2;AuthConfig 无新增 -+### 1.4、RemoveImage -+ void RemoveImage(const runtime::v1alpha2::ImageSpec &image, Errors &error) override; -+ -+**新增CRI字段** -+ -+ImageSpec里面新增 map annotations = 2; -+### 1.5、ImageFsInfo -+无新增CRI字段 -+## 2、POD -+### 2.1、RunPodSandbox -+ auto RunPodSandbox(const runtime::v1alpha2::PodSandboxConfig &config, const std::string &runtimeHandler,Errors &error) -> std::string; -+ -+**新增CRI字段** -+ -+1、新增WindowsPodSandboxConfig windows = 9; -+ -+2、原有LinuxPodSandboxConfig中新增LinuxContainerResources overhead = 4;LinuxContainerResources resources = 5; -+ -+3、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中新增新增SecurityProfile seccomp = 9;SecurityProfile apparmor = 10; -+ -+4、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -+ -+5、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中原有NamespaceOption原有中NamespaceMode新增TARGET -+### 2.2、StopPodSandbox -+ void StopPodSandbox(const std::string &podSandboxID, Errors &error); -+ -+**新增CRI字段** -+ -+1、原有PodSandboxNetworkStatus中新增repeated PodIP additional_ips = 2; -+ -+2、原有LinuxPodSandboxStatus中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -+ -+3、原有LinuxPodSandboxStatus中原有NamespaceOption中原有中NamespaceMode新增TARGET -+### 2.3、RemovePodSandbox -+无新增CRI字段 -+### 2.4、PodSandboxStatus -+ auto PodSandboxStatus(const std::string &podSandboxID, Errors &error) -+ -> std::unique_ptr; -+ -+**新增CRI字段** -+ -+1、原有PodSandboxNetworkStatus中新增repeated PodIP additional_ips = 2; -+ -+2、原有LinuxPodSandboxStatus中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -+ -+3、原有LinuxPodSandboxStatus中原有NamespaceOption中原有中NamespaceMode新增TARGET -+### 2.5、ListPodSandbox -+无新增CRI字段 -+### 2.6、PortForward -+该函数未实现 -+## 3、Container -+### 3.1、CreateContainer -+ auto CreateContainer(const std::string &podSandboxID, const runtime::v1alpha2::ContainerConfig &containerConfig, -+ const runtime::v1alpha2::PodSandboxConfig &podSandboxConfig, Errors &error) -> std::string; -+**新增CRI字段1** -+ -+1、原有ImageSpec中新增map annotations = 2; -+ -+2、原有LinuxContainerConfig中原有LinuxContainerResources新增repeated HugepageLimit hugepage_limits = 8;map unified = 9;int64 memory_swap_limit_in_bytes = 10; -+ -+3、原有LinuxContainerConfig中原有LinuxContainerSecurityContext新增SecurityProfile seccomp = 15;SecurityProfile apparmor = 16; -+ -+4、原有LinuxContainerConfig中原有LinuxContainerSecurityContext中原有Capability新增repeated string add_ambient_capabilities = 3; -+ -+5、原有LinuxContainerConfig中原有LinuxContainerSecurityContext中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -+ -+6、原有LinuxContainerConfig中原有LinuxContainerSecurityContext中原有NamespaceOption中原有NamespaceMode新增TARGET -+ -+7、原有WindowsContainerConfig中原有WindowsContainerResources新增int64 rootfs_size_in_bytes = 5; -+ -+8、原有WindowsContainerConfig中原有WindowsContainerSecurityContext新增bool host_process = 3; -+ -+**新增CRI字段2** -+ -+1、新增WindowsPodSandboxConfig windows = 9; -+ -+2、原有LinuxPodSandboxConfig中新增LinuxContainerResources overhead = 4;LinuxContainerResources resources = 5 -+ -+3、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中新增新增SecurityProfile seccomp = 9;SecurityProfile apparmor = 10; -+ -+4、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中原有NamespaceOption中新增string target_id = 4;新增UserNamespace userns_options = 5; -+ -+5、原有LinuxPodSandboxConfig中原有LinuxSandboxSecurityContext中原有NamespaceOption原有中NamespaceMode新增TARGET -+### 3.2、StartContainer -+无新增CRI字段 -+### 3.3、StopContainer -+无新增CRI字段 -+### 3.4、RemoveContainer -+无新增CRI字段 -+### 3.5、ListContainers -+ void ListContainers(const runtime::v1alpha2::ContainerFilter *filter, -+ std::vector> *containers, Errors &error); -+ -+**新增CRI字段** -+ -+Container中原有ImageSpec新增 map annotations = 2; -+### 3.6、ListContainerStats -+ void ListContainerStats(const runtime::v1alpha2::ContainerStatsFilter *filter, -+ std::vector> *containerstats, -+ Errors &error); -+ -+**新增CRI字段** -+ -+ContainerStatsFilter无新增CRI字段,ContainerStats中新增字段如下: -+ -+1、原有MemoryUsage新增UInt64Value available_bytes = 3;UInt64Value usage_bytes = 4; UInt64Value rss_bytes = 5;UInt64Value page_faults = 6;UInt64Value major_page_faults = 7; -+ -+2、原有CpuUsage新增UInt64Value usage_nano_cores = 3; -+## 3.7、ContainerStatus -+ auto ContainerStatus(const std::string &containerID, Errors &error) -+ -> std::unique_ptr; -+ -+**新增CRI字段** -+ -+ContainerStatus中新增字段ContainerResources resources = 16; -+### 3.8、UpdateContainerResources -+ void UpdateContainerResources(const std::string &containerID,const runtime::v1alpha2::LinuxContainerResources &resources, Errors &error) -+ -+**新增CRI字段** -+ -+LinuxContainerResources中新增字段repeated HugepageLimit hugepage_limits = 8;map unified = 9;int64 memory_swap_limit_in_bytes = 10; -+ -+### 3.9、UpdateRuntimeConfig -+无新增CRI字段 -+### 3.10、Status -+无新增CRI字段 -+### 3.11、Version -+无新增CRI字段 -+### 3.12、ExecSync -+无新增CRI字段 -+### 3.13、Exec -+无新增CRI字段 -+### 3.14、Attach -+无新增CRI字段 -diff --git a/docs/design/detailed/Container/state_check.md b/docs/design/detailed/Container/state_check.md -index 69df60b0..a40f3201 100644 ---- a/docs/design/detailed/Container/state_check.md -+++ b/docs/design/detailed/Container/state_check.md -@@ -1,247 +1,247 @@ --# 状态概况 -- --## 容器的状态以及转换关系 -- --```mermaid --stateDiagram -- direction LR -- created -- running -- paused -- gced -- stoped -- deleted -- state origin <> -- -- origin --> created : isula create -- origin --> running : isula run -- created --> running : isula start -- created --> running : isula restart -- running --> paused : isula pause -- running --> running : isula restart -- paused --> running : isula unpause -- paused --> running : isula restart -- paused --> gced : isula stop -- paused --> gced : isula kill -- running --> gced : isula kill -- running --> gced : isula stop -- stoped --> running : isula restart -- gced --> stoped -- stoped --> running : isula start -- stoped --> deleted: isula rm --``` -- --1. created: 不创建名称相同的容器 --2. running:若已经running状态则不需要进行start操作 --3. paused:若已经位于gc状态则无需pause操作,该状态下无法执行start、exec、attach和rm等,但是应该是可以支持rm -f的 --4. gced:若位于gc,则容器都不做其他操作。 --5. stoped --6. deleted:若位于removal状态,则无需再rm,若为running状态,则无法rm,若位于paused状态,则使用-f时,应该可以删除。 -- -- -- --## isulad代码中设置的状态 -- --| 状态 | true | false | 判定方式 | 拿容器锁前判定 | 拿容器锁后判断 | 其他使用 | --| ------------------------- | ------------------------------------------------------------ | :----------------------------------------------------------: | ------------------------------------------- | ---------------------- | --------------------------------- | ------------------------------------------- | --| running | container_state_set_running、container_state_set_restarting、container_restart_update_start_and_finish_time:在start操作完全完成之后设置 | container_state_set_stopped | container_is_running | rm、start、用户restart | start、kill、restart、pause、stop | | --| paused | container_state_set_paused:在pause操作完成之后设置 | container_state_set_stopped | container_is_paused | rm | start、stop | | --| restartring | container_state_set_restarting:系统自动的restart一开始设置 | container_state_set_running、container_state_set_stopped、container_restart_update_start_and_finish_time | container_is_restarting | | pause、stop | | --| has_been_manually_stopped | stop和kill操作时直接赋值 | container_state_reset_has_been_manual_stopped start和restore paused以及running容器时 | container_state_get_has_been_manual_stopped | | | 用于区分容器异常停止退出和用户主动退出 | --| starting | container_state_set_starting:在start的callback函数一开始设置 | container_state_reset_starting、container_state_set_running、container_state_set_stopped、container_restart_update_start_and_finish_time | if判断 | | | 用于restore时容器状态的判断和容器状态的显示 | --| removal_inprogress | set_container_to_removal封装的container_state_set_removal_in_progress:在delete的callback函数一开始设置 | container_state_reset_removal_in_progress | container_is_removal_in_progress | | start、用户restart | | --| dead | container_state_set_dead:未被设置 | | container_is_dead | | | 未被使用 | -- -- -- --其他有关的变量: -- --1. restart_manager_cancel:通知restart_manager取消restart动作,会对rm->canceled = true; -- --2. cont->hostconfig->auto_remove_bak和 cont->hostconfig->auto_remove:create的时候赋值,在option中有与之对应的配置,默认为false。 -- --为什么设置两个: -- --因为在restart的stop过程中,需要将容器 cont->hostconfig->auto_remove置为false,从而防止容器在restart过程中被删除。还原时需要用bak备份的,gc和restore时也用bak为了保证不使用改变后的值。 -- --auto_remove作用: -- --(1)当位于异常stop状态,且重启策略不重启、auto_remove_bak为true时,就会设置状态为removal状态,并且delete_container。 -- --(2)当start异常时,若设置了auto_remove,则需要先将容器的状态设置为removal之后删除容器,然后将容器状态存入disk。 -- --(3)当容器的auto_remove设置为true时,容器的重启策略必须为no,不重启 -- --auto_remove_bak作用: -- --(1)当gc之后,且重启策略没将容器running且auto_remove_bak为true时,就会设置状态为removal状态,并且delete_container。 -- --(2)当restore时,当容器不处于running状态且auto_remove_bak为true时,就会设置状态为removal状态,并且delete_container。 -- --## gc的状态检查 -- --| 判定方式 | 拿容器锁前判定 | 拿容器锁后判定 | --| ------------------------------------------------- | ------------------------------------------- | -------------- | --| 判断容器id是否位于g_gc_containers.containers_list | kill、pause、stop、系统restart、用户restart | rm、start | -- -- -- --# 现有状态转换 -- --## create过程 -- --- create结束的标志是:将容器id和结构体conf作为key和value存入g_containers_store->map中即create成功,delete在最后的过程中才将容器id的map项删除 -- --![create](../../../images/Container_state/create.svg) -- -- -- --## pause过程 -- --![paused](../../../images/Container_state/paused.svg) -- --1. 是不是在pause在获得容器锁之前,需要补充: -- --```c -- if (container_is_removal_in_progress(cont->state) || container_is_dead(cont->state)) { -- ERROR("Container is marked for removal and cannot be started."); -- isulad_set_error_message("Container is marked for removal and cannot be started."); -- ret = -1; -- goto out; -- } --``` -- --## running状态 -- --这里在start_container之前不需要检查是否位于gc状态是因为,gc结束之后可能是位于stop状态,stop之后是允许start的,而在状态检查和start_container中间,准备工作还需要一段时间。 -- --![running](../../../images/Container_state/running.svg) -- --​ Q: -- --1. docker中start一个paused的容器会报错容器位于paused状态,需要先unpased,而在我们的逻辑中,由于running状态和paused状态时一起为true的,现有状态检查中,只是检查出他位于running状态,无需进行start操作,不会返回用户信息。 -- --## stop过程 -- --Q:在发送命令创建之后检查容器容器是不是运行状态?发送命令之后通过running的变化得知是否完成了stop?runtime中是会对容器状态改变吗? -- --![stop](../../../images/Container_state/stop.svg) -- -- -- -- -- --1. 是不是在gc状态会包含了容器在删除过程中吗?或者说是不是在删除时,第一过程就是要将全局的id与conf删除,则没获取到就是校验了,如果不包含,则stop在获得容器锁之前,需要补充: -- --```c -- if (container_is_removal_in_progress(cont->state) || container_is_dead(cont->state)) { -- ERROR("Container is marked for removal and cannot be started."); -- isulad_set_error_message("Container is marked for removal and cannot be started."); -- ret = -1; -- goto out; -- } --``` -- --但是由于,如果需要强行删除容器,因为在删除的最初已经将删除状态设置了,若在stop中加入了检查是否在删除状态,就会直接退出,不会再进行之后的操作。但是可以在force情况下也对stop放弃此检查?? -- --2.与docker中行为的不同: -- --在docker中容器位于paused状态也可以进行stop和kill以及restart,但是我们代码里面 -- --```c --if (container_is_paused(cont->state)) { -- ERROR("Container %s is paused. Unpause the container before stopping or killing", id); -- isulad_set_error_message("Container %s is paused. Unpause the container before stopping or killing", id); -- ret = -1; -- goto out; -- } --``` -- --在stop时检查了是否处于paused,若处于,则直接错误返回,而在kill时是没有进行检查的,而在用户手册中展示的为: -- --![openeuler](../../../images/Container_state/openeuler.png) -- --而stop的这个行为导致强行 rm 和restart时都对于处于pause状态的容器无法操作。 -- --是需要和docker一致?还是保持原样,保持原样的话是不是需要将备注错误信息改一下呢? -- --## gc和supervisor过程 -- --gc过程结束之后才会将容器从g_gc_containers.containers_list中清除。 -- --全局的g_gc_containers.containers_list中,而判断容器是否在gc状态的标准就是是不是在全局的这个list中 -- --```c --/* gc is gc progress */ --bool gc_is_gc_progress(const char *id) --{ -- bool ret = false; -- struct linked_list *it = NULL; -- struct linked_list *next = NULL; -- container_garbage_config_gc_containers_element *cont = NULL; -- -- gc_containers_lock(); -- -- linked_list_for_each_safe(it, &g_gc_containers.containers_list, next) { -- cont = (container_garbage_config_gc_containers_element *)it->elem; -- if (strcmp(id, cont->id) == 0) { -- ret = true; -- break; -- } -- } -- -- gc_containers_unlock(); -- -- return ret; --} --``` -- -- -- --![gc_supervisor](../../../images/Container_state/gc_supervisor.svg) -- --​ Q:resume container时啥作用,是start容器吗?这里为什么要做,且不需要容器状态检查 -- --## delete过程 -- --在容器状态异常发生stop event且不restart的状态下,也需要对容器delete_container,但是感觉疑问还是在,因为可以在delete_container中对状态进行判断之后在do_delete_container才进行remove状态的设置:可能是为了增加删除的概率,若在竞争状态下,先设置为removal能阻止其他的容器操作进程运行,但是其他的对于这个状态的判断很少 -- --![delete](../../../images/Container_state/delete.svg) -- -- -- --## kill过程 -- --![kill](../../../images/Container_state/kill.svg) -- --## restart过程 -- --restart有两种,一种是重启策略的重启,默认的重启策略为no,若设置为always或者设置为unless-stoped且has_been_manually_stopped为fasle时,会重启;另一种是在用户使用restart命令时,也会对容器进行restart,因此在执行stop_and_start里面时,才需要对running状态进行检查。 -- --### 用户restart -- --![user_restart](../../../images/Container_state/user_restart.svg) -- --### 容器event变为 stopped之后引发的容器状态改变 -- --![sys_restart](../../../images/Container_state/sys_restart.svg) -- -- -- --# Question -- --## 在获得容器锁之前的状态检查和在获得容器锁之后的状态检查有什么区别? -- --在之前检查的是必然没必要往下走的状态,而在获得容器锁之后检查的是必须保证满足开始进行操作的条件的状态,更严格。在第一次检查和获得容器锁之间有一段时间,需要允许其他操作并发操作。 -- --## gc持有锁的情况 -- --1. 在清理容器资源时,需要获得容器的锁:clean_container_resource -- --## 状态改变但没有落盘 -- --src/daemon/executor/container_cb/execution.c #391、421、502 -- --src/daemon/modules/container/restart_manager/restartmanager.c #104 -- --src/daemon/executor/container_cb/execution_extend.c #534 这里为什么要将这个放在container_update_health_monitor后面,里面好像没有涉及到状态的改变。 -+# 状态概况 -+ -+## 容器的状态以及转换关系 -+ -+```mermaid -+stateDiagram -+ direction LR -+ created -+ running -+ paused -+ gced -+ stoped -+ deleted -+ state origin <> -+ -+ origin --> created : isula create -+ origin --> running : isula run -+ created --> running : isula start -+ created --> running : isula restart -+ running --> paused : isula pause -+ running --> running : isula restart -+ paused --> running : isula unpause -+ paused --> running : isula restart -+ paused --> gced : isula stop -+ paused --> gced : isula kill -+ running --> gced : isula kill -+ running --> gced : isula stop -+ stoped --> running : isula restart -+ gced --> stoped -+ stoped --> running : isula start -+ stoped --> deleted: isula rm -+``` -+ -+1. created: 不创建名称相同的容器 -+2. running:若已经running状态则不需要进行start操作 -+3. paused:若已经位于gc状态则无需pause操作,该状态下无法执行start、exec、attach和rm等,但是应该是可以支持rm -f的 -+4. gced:若位于gc,则容器都不做其他操作。 -+5. stoped -+6. deleted:若位于removal状态,则无需再rm,若为running状态,则无法rm,若位于paused状态,则使用-f时,应该可以删除。 -+ -+ -+ -+## isulad代码中设置的状态 -+ -+| 状态 | true | false | 判定方式 | 拿容器锁前判定 | 拿容器锁后判断 | 其他使用 | -+| ------------------------- | ------------------------------------------------------------ | :----------------------------------------------------------: | ------------------------------------------- | ---------------------- | --------------------------------- | ------------------------------------------- | -+| running | container_state_set_running、container_state_set_restarting、container_restart_update_start_and_finish_time:在start操作完全完成之后设置 | container_state_set_stopped | container_is_running | rm、start、用户restart | start、kill、restart、pause、stop | | -+| paused | container_state_set_paused:在pause操作完成之后设置 | container_state_set_stopped | container_is_paused | rm | start、stop | | -+| restartring | container_state_set_restarting:系统自动的restart一开始设置 | container_state_set_running、container_state_set_stopped、container_restart_update_start_and_finish_time | container_is_restarting | | pause、stop | | -+| has_been_manually_stopped | stop和kill操作时直接赋值 | container_state_reset_has_been_manual_stopped start和restore paused以及running容器时 | container_state_get_has_been_manual_stopped | | | 用于区分容器异常停止退出和用户主动退出 | -+| starting | container_state_set_starting:在start的callback函数一开始设置 | container_state_reset_starting、container_state_set_running、container_state_set_stopped、container_restart_update_start_and_finish_time | if判断 | | | 用于restore时容器状态的判断和容器状态的显示 | -+| removal_inprogress | set_container_to_removal封装的container_state_set_removal_in_progress:在delete的callback函数一开始设置 | container_state_reset_removal_in_progress | container_is_removal_in_progress | | start、用户restart | | -+| dead | container_state_set_dead:未被设置 | | container_is_dead | | | 未被使用 | -+ -+ -+ -+其他有关的变量: -+ -+1. restart_manager_cancel:通知restart_manager取消restart动作,会对rm->canceled = true; -+ -+2. cont->hostconfig->auto_remove_bak和 cont->hostconfig->auto_remove:create的时候赋值,在option中有与之对应的配置,默认为false。 -+ -+为什么设置两个: -+ -+因为在restart的stop过程中,需要将容器 cont->hostconfig->auto_remove置为false,从而防止容器在restart过程中被删除。还原时需要用bak备份的,gc和restore时也用bak为了保证不使用改变后的值。 -+ -+auto_remove作用: -+ -+(1)当位于异常stop状态,且重启策略不重启、auto_remove_bak为true时,就会设置状态为removal状态,并且delete_container。 -+ -+(2)当start异常时,若设置了auto_remove,则需要先将容器的状态设置为removal之后删除容器,然后将容器状态存入disk。 -+ -+(3)当容器的auto_remove设置为true时,容器的重启策略必须为no,不重启 -+ -+auto_remove_bak作用: -+ -+(1)当gc之后,且重启策略没将容器running且auto_remove_bak为true时,就会设置状态为removal状态,并且delete_container。 -+ -+(2)当restore时,当容器不处于running状态且auto_remove_bak为true时,就会设置状态为removal状态,并且delete_container。 -+ -+## gc的状态检查 -+ -+| 判定方式 | 拿容器锁前判定 | 拿容器锁后判定 | -+| ------------------------------------------------- | ------------------------------------------- | -------------- | -+| 判断容器id是否位于g_gc_containers.containers_list | kill、pause、stop、系统restart、用户restart | rm、start | -+ -+ -+ -+# 现有状态转换 -+ -+## create过程 -+ -+- create结束的标志是:将容器id和结构体conf作为key和value存入g_containers_store->map中即create成功,delete在最后的过程中才将容器id的map项删除 -+ -+![create](../../../images/Container_state/create.svg) -+ -+ -+ -+## pause过程 -+ -+![paused](../../../images/Container_state/paused.svg) -+ -+1. 是不是在pause在获得容器锁之前,需要补充: -+ -+```c -+ if (container_is_removal_in_progress(cont->state) || container_is_dead(cont->state)) { -+ ERROR("Container is marked for removal and cannot be started."); -+ isulad_set_error_message("Container is marked for removal and cannot be started."); -+ ret = -1; -+ goto out; -+ } -+``` -+ -+## running状态 -+ -+这里在start_container之前不需要检查是否位于gc状态是因为,gc结束之后可能是位于stop状态,stop之后是允许start的,而在状态检查和start_container中间,准备工作还需要一段时间。 -+ -+![running](../../../images/Container_state/running.svg) -+ -+​ Q: -+ -+1. docker中start一个paused的容器会报错容器位于paused状态,需要先unpased,而在我们的逻辑中,由于running状态和paused状态时一起为true的,现有状态检查中,只是检查出他位于running状态,无需进行start操作,不会返回用户信息。 -+ -+## stop过程 -+ -+Q:在发送命令创建之后检查容器容器是不是运行状态?发送命令之后通过running的变化得知是否完成了stop?runtime中是会对容器状态改变吗? -+ -+![stop](../../../images/Container_state/stop.svg) -+ -+ -+ -+ -+ -+1. 是不是在gc状态会包含了容器在删除过程中吗?或者说是不是在删除时,第一过程就是要将全局的id与conf删除,则没获取到就是校验了,如果不包含,则stop在获得容器锁之前,需要补充: -+ -+```c -+ if (container_is_removal_in_progress(cont->state) || container_is_dead(cont->state)) { -+ ERROR("Container is marked for removal and cannot be started."); -+ isulad_set_error_message("Container is marked for removal and cannot be started."); -+ ret = -1; -+ goto out; -+ } -+``` -+ -+但是由于,如果需要强行删除容器,因为在删除的最初已经将删除状态设置了,若在stop中加入了检查是否在删除状态,就会直接退出,不会再进行之后的操作。但是可以在force情况下也对stop放弃此检查?? -+ -+2.与docker中行为的不同: -+ -+在docker中容器位于paused状态也可以进行stop和kill以及restart,但是我们代码里面 -+ -+```c -+if (container_is_paused(cont->state)) { -+ ERROR("Container %s is paused. Unpause the container before stopping or killing", id); -+ isulad_set_error_message("Container %s is paused. Unpause the container before stopping or killing", id); -+ ret = -1; -+ goto out; -+ } -+``` -+ -+在stop时检查了是否处于paused,若处于,则直接错误返回,而在kill时是没有进行检查的,而在用户手册中展示的为: -+ -+![openeuler](../../../images/Container_state/openeuler.png) -+ -+而stop的这个行为导致强行 rm 和restart时都对于处于pause状态的容器无法操作。 -+ -+是需要和docker一致?还是保持原样,保持原样的话是不是需要将备注错误信息改一下呢? -+ -+## gc和supervisor过程 -+ -+gc过程结束之后才会将容器从g_gc_containers.containers_list中清除。 -+ -+全局的g_gc_containers.containers_list中,而判断容器是否在gc状态的标准就是是不是在全局的这个list中 -+ -+```c -+/* gc is gc progress */ -+bool gc_is_gc_progress(const char *id) -+{ -+ bool ret = false; -+ struct linked_list *it = NULL; -+ struct linked_list *next = NULL; -+ container_garbage_config_gc_containers_element *cont = NULL; -+ -+ gc_containers_lock(); -+ -+ linked_list_for_each_safe(it, &g_gc_containers.containers_list, next) { -+ cont = (container_garbage_config_gc_containers_element *)it->elem; -+ if (strcmp(id, cont->id) == 0) { -+ ret = true; -+ break; -+ } -+ } -+ -+ gc_containers_unlock(); -+ -+ return ret; -+} -+``` -+ -+ -+ -+![gc_supervisor](../../../images/Container_state/gc_supervisor.svg) -+ -+​ Q:resume container时啥作用,是start容器吗?这里为什么要做,且不需要容器状态检查 -+ -+## delete过程 -+ -+在容器状态异常发生stop event且不restart的状态下,也需要对容器delete_container,但是感觉疑问还是在,因为可以在delete_container中对状态进行判断之后在do_delete_container才进行remove状态的设置:可能是为了增加删除的概率,若在竞争状态下,先设置为removal能阻止其他的容器操作进程运行,但是其他的对于这个状态的判断很少 -+ -+![delete](../../../images/Container_state/delete.svg) -+ -+ -+ -+## kill过程 -+ -+![kill](../../../images/Container_state/kill.svg) -+ -+## restart过程 -+ -+restart有两种,一种是重启策略的重启,默认的重启策略为no,若设置为always或者设置为unless-stoped且has_been_manually_stopped为fasle时,会重启;另一种是在用户使用restart命令时,也会对容器进行restart,因此在执行stop_and_start里面时,才需要对running状态进行检查。 -+ -+### 用户restart -+ -+![user_restart](../../../images/Container_state/user_restart.svg) -+ -+### 容器event变为 stopped之后引发的容器状态改变 -+ -+![sys_restart](../../../images/Container_state/sys_restart.svg) -+ -+ -+ -+# Question -+ -+## 在获得容器锁之前的状态检查和在获得容器锁之后的状态检查有什么区别? -+ -+在之前检查的是必然没必要往下走的状态,而在获得容器锁之后检查的是必须保证满足开始进行操作的条件的状态,更严格。在第一次检查和获得容器锁之间有一段时间,需要允许其他操作并发操作。 -+ -+## gc持有锁的情况 -+ -+1. 在清理容器资源时,需要获得容器的锁:clean_container_resource -+ -+## 状态改变但没有落盘 -+ -+src/daemon/executor/container_cb/execution.c #391、421、502 -+ -+src/daemon/modules/container/restart_manager/restartmanager.c #104 -+ -+src/daemon/executor/container_cb/execution_extend.c #534 这里为什么要将这个放在container_update_health_monitor后面,里面好像没有涉及到状态的改变。 -diff --git a/docs/manual/k8s_integration_zh.md b/docs/manual/k8s_integration_zh.md -index 82673bcc..6dda1e4d 100644 ---- a/docs/manual/k8s_integration_zh.md -+++ b/docs/manual/k8s_integration_zh.md -@@ -1,215 +1,215 @@ --# 整合kubernetes -- --## 配置 -- --1. 配置`isulad` -- -- 在`/etc/isulad/daemon.json`中先配置`pod-sandbox-image` : -- -- ```json -- "pod-sandbox-image": "my-pause:1.0.0" -- ``` -- -- 之后配置`isulad`的 `endpoint`: -- -- ```json -- "hosts": [ -- "unix:///var/run/isulad.sock" -- ] -- ``` -- -- 如果`hosts`没有配置,默认的`endpoint`为``unix:///var/run/isulad.sock`` -- --2. 重启`isulad` -- -- ```bash -- $ sudo systemctl restart isulad -- ``` -- --3. 基于配置或者默认值启动`kubelet` -- -- ```bash -- $ /usr/bin/kubelet -- --container-runtime-endpoint=unix:///var/run/isulad.sock -- --image-service-endpoint=unix:///var/run/isulad.sock -- --pod-infra-container-image=my-pause:1.0.0 -- --container-runtime=remote -- ... -- ``` -- --## 使用 RuntimeClass -- --RuntimeClass 用于选择容器运行时配置从而运行 pod 的容器,RuntimeClass 的具体信息请查看 [runtime-class](https://kubernetes.io/docs/concepts/containers/runtime-class/)。目前,只支持`kata-containers` 和 `runc`这两种`oci runtime`。 -- --1. 在`/etc/isulad/daemon.json`中配置`isulad` -- -- ```json -- "runtimes": { -- "kata-runtime": { -- "path": "/usr/bin/kata-runtime", -- "runtime-args": [ -- "--kata-config", -- "/usr/share/defaults/kata-containers/configuration.toml" -- ] -- } -- } -- ``` -- --2. 其他配置 -- -- `isulad`支持`overlay2` 和 `devicemapper`作为存储驱动程序,默认的为`overlay2` 。 -- -- 在某些情况下,更适合使用块设备类型作为存储驱动程序,例如运行 `kata-containers`。配置`devicemapper`的过程如下: -- -- 首先创建ThinPool: -- -- ```bash -- $ sudo pvcreate /dev/sdb1 # /dev/sdb1 for example -- $ sudo vgcreate isulad /dev/sdb -- $ sudo echo y | lvcreate --wipesignatures y -n thinpool isulad -L 200G -- $ sudo echo y | lvcreate --wipesignatures y -n thinpoolmeta isulad -L 20G -- $ sudo lvconvert -y --zero n -c 512K --thinpool isulad/thinpool --poolmetadata isulad/thinpoolmeta -- $ sudo lvchange --metadataprofile isulad-thinpool isulad/thinpool -- ``` -- -- 之后在`/etc/isulad/daemon.json`中增加 `devicemapper` 的配置 : -- -- ```json -- "storage-driver": "devicemapper" -- "storage-opts": [ -- "dm.thinpooldev=/dev/mapper/isulad-thinpool", -- "dm.fs=ext4", -- "dm.min_free_space=10%" -- ] -- ``` -- --3. 重启`isulad` -- -- ```bash -- $ sudo systemctl restart isulad -- ``` -- --4. 定义 `kata-runtime.yaml`,例如创建一个`kata-runtime.yaml`内容如下: -- -- ```yaml -- apiVersion: node.k8s.io/v1beta1 -- kind: RuntimeClass -- metadata: -- name: kata-runtime -- handler: kata-runtime -- ``` -- -- 之后运行`kubectl apply -f kata-runtime.yaml`命令在kubectl中让这个配置生效。 -- --5. 定义 pod spec `kata-pod.yaml` ,例如创建一个`kata-pod.yaml`,内容如下: -- -- ```yaml -- apiVersion: v1 -- kind: Pod -- metadata: -- name: kata-pod-example -- spec: -- runtimeClassName: kata-runtime -- containers: -- - name: kata-pod -- image: busybox:latest -- command: ["/bin/sh"] -- args: ["-c", "sleep 1000"] -- ``` -- --6. 运行 pod -- -- ```bash -- $ kubectl create -f kata-pod.yaml -- $ kubectl get pod -- NAME READY STATUS RESTARTS AGE -- kata-pod-example 1/1 Running 4 2s -- ``` -- --## CNI 网络配置 -- --`isulad`实现了CRI接口从而可以连接CNI网络、解析CNI的网络配置文件、加入或者退出CNI网络。在本节中,我们调用 CRI 接口启动 pod 来验证 CNI 网络配置。 -- --1. 在`/etc/isulad/daemon.json`中配置`isulad`: -- -- ```json -- "network-plugin": "cni", -- "cni-bin-dir": "/opt/cni/bin", -- "cni-conf-dir": "/etc/cni/net.d", -- ``` -- --2. 准备CNI网络的插件: -- -- 编译生成 CNI 插件的二进制文件,并将该二进制文件复制到 `/opt/cni/bin`。 -- -- ```bash -- $ git clone https://github.com/containernetworking/plugins.git -- $ cd plugins && ./build_linux.sh -- $ cd ./bin && ls -- bandwidth bridge dhcp firewall flannel ... -- ``` -- --3. 准备CNI网络的配置: -- -- 配置文件的后缀可以是`.conflist`或者`.conf`,区别在于是否包含多个插件。例如,我们在目录`/etc/cni/net.d/`下创建`10-mynet.conflist`文件,内容如下: -- -- ```json -- { -- "cniVersion": "0.3.1", -- "name": "default", -- "plugins": [ -- { -- "name": "default", -- "type": "ptp", -- "ipMasq": true, -- "ipam": { -- "type": "host-local", -- "subnet": "10.1.0.0/16", -- "routes": [ -- { -- "dst": "0.0.0.0/0" -- } -- ] -- } -- }, -- { -- "type": "portmap", -- "capabilities": { -- "portMappings": true -- } -- } -- ] -- } -- ``` -- --4. 配置`sandbox-config.json`: -- -- ```json -- { -- "port_mappings":[{"protocol": 1, "container_port": 80, "host_port": 8080}], -- "metadata": { -- "name": "test", -- "namespace": "default", -- "attempt": 1, -- "uid": "hdishd83djaidwnduwk28bcsb" -- }, -- "labels": { -- "filter_label_key": "filter_label_val" -- }, -- "linux": { -- } -- } -- ``` -- --5. 重启`isulad`并且启动pod: -- -- ```sh -- $ sudo systemctl restart isulad -- $ sudo crictl -i unix:///var/run/isulad.sock -r unix:///var/run/isulad.sock runp sandbox-config.json -- ``` -- --6. 查看pod网络信息: -- -- ```sh -- $ sudo crictl -i unix:///var/run/isulad.sock -r unix:///var/run/isulad.sock inspectp -+# 整合kubernetes -+ -+## 配置 -+ -+1. 配置`isulad` -+ -+ 在`/etc/isulad/daemon.json`中先配置`pod-sandbox-image` : -+ -+ ```json -+ "pod-sandbox-image": "my-pause:1.0.0" -+ ``` -+ -+ 之后配置`isulad`的 `endpoint`: -+ -+ ```json -+ "hosts": [ -+ "unix:///var/run/isulad.sock" -+ ] -+ ``` -+ -+ 如果`hosts`没有配置,默认的`endpoint`为``unix:///var/run/isulad.sock`` -+ -+2. 重启`isulad` -+ -+ ```bash -+ $ sudo systemctl restart isulad -+ ``` -+ -+3. 基于配置或者默认值启动`kubelet` -+ -+ ```bash -+ $ /usr/bin/kubelet -+ --container-runtime-endpoint=unix:///var/run/isulad.sock -+ --image-service-endpoint=unix:///var/run/isulad.sock -+ --pod-infra-container-image=my-pause:1.0.0 -+ --container-runtime=remote -+ ... -+ ``` -+ -+## 使用 RuntimeClass -+ -+RuntimeClass 用于选择容器运行时配置从而运行 pod 的容器,RuntimeClass 的具体信息请查看 [runtime-class](https://kubernetes.io/docs/concepts/containers/runtime-class/)。目前,只支持`kata-containers` 和 `runc`这两种`oci runtime`。 -+ -+1. 在`/etc/isulad/daemon.json`中配置`isulad` -+ -+ ```json -+ "runtimes": { -+ "kata-runtime": { -+ "path": "/usr/bin/kata-runtime", -+ "runtime-args": [ -+ "--kata-config", -+ "/usr/share/defaults/kata-containers/configuration.toml" -+ ] -+ } -+ } -+ ``` -+ -+2. 其他配置 -+ -+ `isulad`支持`overlay2` 和 `devicemapper`作为存储驱动程序,默认的为`overlay2` 。 -+ -+ 在某些情况下,更适合使用块设备类型作为存储驱动程序,例如运行 `kata-containers`。配置`devicemapper`的过程如下: -+ -+ 首先创建ThinPool: -+ -+ ```bash -+ $ sudo pvcreate /dev/sdb1 # /dev/sdb1 for example -+ $ sudo vgcreate isulad /dev/sdb -+ $ sudo echo y | lvcreate --wipesignatures y -n thinpool isulad -L 200G -+ $ sudo echo y | lvcreate --wipesignatures y -n thinpoolmeta isulad -L 20G -+ $ sudo lvconvert -y --zero n -c 512K --thinpool isulad/thinpool --poolmetadata isulad/thinpoolmeta -+ $ sudo lvchange --metadataprofile isulad-thinpool isulad/thinpool -+ ``` -+ -+ 之后在`/etc/isulad/daemon.json`中增加 `devicemapper` 的配置 : -+ -+ ```json -+ "storage-driver": "devicemapper" -+ "storage-opts": [ -+ "dm.thinpooldev=/dev/mapper/isulad-thinpool", -+ "dm.fs=ext4", -+ "dm.min_free_space=10%" -+ ] -+ ``` -+ -+3. 重启`isulad` -+ -+ ```bash -+ $ sudo systemctl restart isulad -+ ``` -+ -+4. 定义 `kata-runtime.yaml`,例如创建一个`kata-runtime.yaml`内容如下: -+ -+ ```yaml -+ apiVersion: node.k8s.io/v1beta1 -+ kind: RuntimeClass -+ metadata: -+ name: kata-runtime -+ handler: kata-runtime -+ ``` -+ -+ 之后运行`kubectl apply -f kata-runtime.yaml`命令在kubectl中让这个配置生效。 -+ -+5. 定义 pod spec `kata-pod.yaml` ,例如创建一个`kata-pod.yaml`,内容如下: -+ -+ ```yaml -+ apiVersion: v1 -+ kind: Pod -+ metadata: -+ name: kata-pod-example -+ spec: -+ runtimeClassName: kata-runtime -+ containers: -+ - name: kata-pod -+ image: busybox:latest -+ command: ["/bin/sh"] -+ args: ["-c", "sleep 1000"] -+ ``` -+ -+6. 运行 pod -+ -+ ```bash -+ $ kubectl create -f kata-pod.yaml -+ $ kubectl get pod -+ NAME READY STATUS RESTARTS AGE -+ kata-pod-example 1/1 Running 4 2s -+ ``` -+ -+## CNI 网络配置 -+ -+`isulad`实现了CRI接口从而可以连接CNI网络、解析CNI的网络配置文件、加入或者退出CNI网络。在本节中,我们调用 CRI 接口启动 pod 来验证 CNI 网络配置。 -+ -+1. 在`/etc/isulad/daemon.json`中配置`isulad`: -+ -+ ```json -+ "network-plugin": "cni", -+ "cni-bin-dir": "/opt/cni/bin", -+ "cni-conf-dir": "/etc/cni/net.d", -+ ``` -+ -+2. 准备CNI网络的插件: -+ -+ 编译生成 CNI 插件的二进制文件,并将该二进制文件复制到 `/opt/cni/bin`。 -+ -+ ```bash -+ $ git clone https://github.com/containernetworking/plugins.git -+ $ cd plugins && ./build_linux.sh -+ $ cd ./bin && ls -+ bandwidth bridge dhcp firewall flannel ... -+ ``` -+ -+3. 准备CNI网络的配置: -+ -+ 配置文件的后缀可以是`.conflist`或者`.conf`,区别在于是否包含多个插件。例如,我们在目录`/etc/cni/net.d/`下创建`10-mynet.conflist`文件,内容如下: -+ -+ ```json -+ { -+ "cniVersion": "0.3.1", -+ "name": "default", -+ "plugins": [ -+ { -+ "name": "default", -+ "type": "ptp", -+ "ipMasq": true, -+ "ipam": { -+ "type": "host-local", -+ "subnet": "10.1.0.0/16", -+ "routes": [ -+ { -+ "dst": "0.0.0.0/0" -+ } -+ ] -+ } -+ }, -+ { -+ "type": "portmap", -+ "capabilities": { -+ "portMappings": true -+ } -+ } -+ ] -+ } -+ ``` -+ -+4. 配置`sandbox-config.json`: -+ -+ ```json -+ { -+ "port_mappings":[{"protocol": 1, "container_port": 80, "host_port": 8080}], -+ "metadata": { -+ "name": "test", -+ "namespace": "default", -+ "attempt": 1, -+ "uid": "hdishd83djaidwnduwk28bcsb" -+ }, -+ "labels": { -+ "filter_label_key": "filter_label_val" -+ }, -+ "linux": { -+ } -+ } -+ ``` -+ -+5. 重启`isulad`并且启动pod: -+ -+ ```sh -+ $ sudo systemctl restart isulad -+ $ sudo crictl -i unix:///var/run/isulad.sock -r unix:///var/run/isulad.sock runp sandbox-config.json -+ ``` -+ -+6. 查看pod网络信息: -+ -+ ```sh -+ $ sudo crictl -i unix:///var/run/isulad.sock -r unix:///var/run/isulad.sock inspectp - ``` -\ No newline at end of file -diff --git a/test/image/oci/registry/data/v2/ping_head b/test/image/oci/registry/data/v2/ping_head -index 93742901..d9456e50 100644 ---- a/test/image/oci/registry/data/v2/ping_head -+++ b/test/image/oci/registry/data/v2/ping_head -@@ -4,6 +4,6 @@ Date: Thu, 02 Jul 2020 09:14:14 GMT - Content-Type: application/json; charset=utf-8 - Content-Length: 2 - Connection: keep-alive --Docker-Distribution-Api-Version: registry/2.0 -- -+Docker-Distribution-Api-Version: registry/2.0 -+ - {"errors":[{"code":"UNAUTHORIZED","message":"Unauthorized access."}]} --- -2.40.1 - diff --git a/0002-2156-Fix-sandbox-error-logging.patch b/0002-2156-Fix-sandbox-error-logging.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f4d9e55ee81d222041729f2caaa6372f547b824 --- /dev/null +++ b/0002-2156-Fix-sandbox-error-logging.patch @@ -0,0 +1,28 @@ +From cc6302549b722a5c309c90794afe27b2e7e7b29e Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Tue, 29 Aug 2023 13:18:13 +0000 +Subject: [PATCH 02/32] !2156 Fix sandbox error logging * Fix sandbox error + logging + +--- + src/daemon/sandbox/sandbox.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index 2433e11b..968dae24 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -581,8 +581,8 @@ auto Sandbox::Create(Errors &error) -> bool + + nret = util_mkdir_p(m_rootdir.c_str(), CONFIG_DIRECTORY_MODE); + if (nret != 0 && errno != EEXIST) { +- error.Errorf("Failed to create sandbox path %s", m_rootdir); +- SYSERROR("Failed to create sandbox path %s", m_rootdir); ++ error.Errorf("Failed to create sandbox path %s", m_rootdir.c_str()); ++ SYSERROR("Failed to create sandbox path %s", m_rootdir.c_str()); + return false; + } + #ifdef ENABLE_USERNS_REMAP +-- +2.25.1 + diff --git a/0002-restore-ping-head.patch b/0002-restore-ping-head.patch deleted file mode 100644 index 47b856a96e127b8f8761bc3fd759acdeda5567e1..0000000000000000000000000000000000000000 --- a/0002-restore-ping-head.patch +++ /dev/null @@ -1,26 +0,0 @@ -From b20af14432e3befcae1c40de91a4dfb579ccd03b Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Sat, 13 May 2023 11:05:35 +0800 -Subject: [PATCH 2/9] restore ping head - -Signed-off-by: zhongtao ---- - test/image/oci/registry/data/v2/ping_head | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/test/image/oci/registry/data/v2/ping_head b/test/image/oci/registry/data/v2/ping_head -index d9456e50..93742901 100644 ---- a/test/image/oci/registry/data/v2/ping_head -+++ b/test/image/oci/registry/data/v2/ping_head -@@ -4,6 +4,6 @@ Date: Thu, 02 Jul 2020 09:14:14 GMT - Content-Type: application/json; charset=utf-8 - Content-Length: 2 - Connection: keep-alive --Docker-Distribution-Api-Version: registry/2.0 -- -+Docker-Distribution-Api-Version: registry/2.0 -+ - {"errors":[{"code":"UNAUTHORIZED","message":"Unauthorized access."}]} --- -2.40.1 - diff --git a/0003-2158-Use-crictl-v1.22.0-for-ci.patch b/0003-2158-Use-crictl-v1.22.0-for-ci.patch new file mode 100644 index 0000000000000000000000000000000000000000..d555241b08883b9d6d55a13a2321838a8401e088 --- /dev/null +++ b/0003-2158-Use-crictl-v1.22.0-for-ci.patch @@ -0,0 +1,26 @@ +From 384940dee7ed5bcc01014520b94917f5782f996e Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Wed, 30 Aug 2023 03:36:45 +0000 +Subject: [PATCH 03/32] !2158 Use crictl v1.22.0 for ci * Use crictl v1.22.0 + for ci + +--- + CI/install_depends.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CI/install_depends.sh b/CI/install_depends.sh +index ff919afe..bff825a8 100755 +--- a/CI/install_depends.sh ++++ b/CI/install_depends.sh +@@ -46,7 +46,7 @@ function make_crictl() + cd cri-tools + # crictl v1.18 cannot recognise the SecurityProfile seccomp of LinuxSandboxSecurityContext + # and the LinuxContainerSecurityContext.has_seccomp() always false +- git checkout v1.24.2 ++ git checkout v1.22.0 + make -j $nproc + echo "make cri-tools: $?" + cp ./build/bin/crictl ${builddir}/bin/ +-- +2.25.1 + diff --git a/0003-fix-health_check.sh.patch b/0003-fix-health_check.sh.patch deleted file mode 100644 index 34eba2964fe4646a733717452f64a01aeeffcc8b..0000000000000000000000000000000000000000 --- a/0003-fix-health_check.sh.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 5bfde56d1130572e9bf76dd0fc40a5f0a34923d2 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Sun, 14 May 2023 14:02:48 +0800 -Subject: [PATCH 3/9] fix health_check.sh - -Signed-off-by: zhongtao ---- - CI/test_cases/container_cases/health_check.sh | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/CI/test_cases/container_cases/health_check.sh b/CI/test_cases/container_cases/health_check.sh -index 621574cd..1542bd09 100755 ---- a/CI/test_cases/container_cases/health_check.sh -+++ b/CI/test_cases/container_cases/health_check.sh -@@ -103,7 +103,7 @@ function test_health_check_normally() - [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "healthy" ]] - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not healthy" && ((ret++)) - -- kill -9 $(isula inspect -f '{{.State.Pid}}' ${container_name}) && sleep 1 # Wait for the container to be killed -+ kill -9 $(isula inspect -f '{{.State.Pid}}' ${container_name}) && sleep 2 # Wait for the container to be killed - - # The container process exits abnormally and the health check status becomes unhealthy - [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "unhealthy" ]] -@@ -139,13 +139,13 @@ function test_health_check_timeout() - [[ $(isula inspect -f '{{.State.Status}}' ${container_name}) == "running" ]] - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container status: not running" && ((ret++)) - -- sleep 1 # Health check has been performed yet -+ sleep 2 # Health check has been performed yet - - # Initial status when the container is still starting - [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "starting" ]] - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not starting" && ((ret++)) - -- sleep 7 # finish first health check -+ sleep 10 # finish first health check - # The container process exits and the health check status becomes unhealthy - [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "unhealthy" ]] - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not unhealthy" && ((ret++)) --- -2.40.1 - diff --git a/0004-2162-Fix-rename-issue-for-id-manager.patch b/0004-2162-Fix-rename-issue-for-id-manager.patch new file mode 100644 index 0000000000000000000000000000000000000000..96719de0c072dc15ed11fbcc57d1dc895347cea5 --- /dev/null +++ b/0004-2162-Fix-rename-issue-for-id-manager.patch @@ -0,0 +1,113 @@ +From 0dbf21e22d51721e43fa2c1abecf30da271501c5 Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Thu, 31 Aug 2023 04:11:22 +0000 +Subject: [PATCH 04/32] !2162 Fix rename issue for id manager Merge pull + request !2162 from xuxuepeng/master + +--- + src/daemon/common/id_name_manager.c | 21 ++++++++++++++++++- + src/daemon/common/id_name_manager.h | 1 + + .../container_cb/execution_information.c | 12 +++++++++++ + src/daemon/sandbox/sandbox_manager.cc | 6 ++++-- + 4 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/src/daemon/common/id_name_manager.c b/src/daemon/common/id_name_manager.c +index e6b24798..3fc1c443 100644 +--- a/src/daemon/common/id_name_manager.c ++++ b/src/daemon/common/id_name_manager.c +@@ -382,4 +382,23 @@ bool id_name_manager_remove_entry(const char *id, const char *name) + } + + return ret; +-} +\ No newline at end of file ++} ++ ++bool id_name_manager_rename(const char *new_name, const char *old_name) ++{ ++ if (old_name == NULL || new_name == NULL) { ++ ERROR("Failed to rename empty name"); ++ return false; ++ } ++ ++ if (!try_add_name(new_name)) { ++ ERROR("Failed to add %s to name map", new_name); ++ return false; ++ } ++ ++ if (!try_remove_name(old_name)) { ++ WARN("Failed to remove %s from name map", old_name); ++ } ++ ++ return true; ++} +diff --git a/src/daemon/common/id_name_manager.h b/src/daemon/common/id_name_manager.h +index 3c9f6d45..09f0867e 100644 +--- a/src/daemon/common/id_name_manager.h ++++ b/src/daemon/common/id_name_manager.h +@@ -27,6 +27,7 @@ bool id_name_manager_add_entry_with_existing_id(const char *id, const char *name + bool id_name_manager_add_entry_with_new_id(const char *name, char **id); + bool id_name_manager_add_entry_with_new_id_and_name(char **id, char **name); + bool id_name_manager_remove_entry(const char *id, const char *name); ++bool id_name_manager_rename(const char *new_name, const char *old_name); + + #ifdef __cplusplus + } +diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c +index 28480224..93e5032e 100644 +--- a/src/daemon/executor/container_cb/execution_information.c ++++ b/src/daemon/executor/container_cb/execution_information.c +@@ -60,6 +60,7 @@ + #include "utils_convert.h" + #include "utils_string.h" + #include "utils_verify.h" ++#include "id_name_manager.h" + + static int container_version_cb(const container_version_request *request, container_version_response **response) + { +@@ -1075,11 +1076,22 @@ static int container_rename(container_t *cont, const char *new_name) + goto out; + } + ++ if (!id_name_manager_rename(new_name, old_name)) { ++ ERROR("Failed to rename %s to %s in id-name manager", old_name, new_name); ++ isulad_set_error_message("Failed to rename %s to %s in id-name manager", old_name, new_name); ++ ret = -1; ++ goto out; ++ } ++ + if (!container_name_index_rename(new_name, old_name, id)) { + ERROR("Name %s is in use", new_name); + isulad_set_error_message("Conflict. The name \"%s\" is already in use by container %s. " + "You have to remove (or rename) that container to be able to reuse that name.", + new_name, new_name); ++ // restore name in id-name manager ++ if (!id_name_manager_rename(old_name, new_name)) { ++ ERROR("Failed to restore name from \"%s\" to \"%s\" in id-name manager", new_name, old_name); ++ } + ret = -1; + goto out; + } +diff --git a/src/daemon/sandbox/sandbox_manager.cc b/src/daemon/sandbox/sandbox_manager.cc +index 527a9aec..e258320a 100644 +--- a/src/daemon/sandbox/sandbox_manager.cc ++++ b/src/daemon/sandbox/sandbox_manager.cc +@@ -210,11 +210,13 @@ bool SandboxManager::IDNameManagerRemoveEntry(const std::string &id, const std:: + // Save the id and name of the sandbox to the map of the id_name_manager module + bool SandboxManager::IDNameManagerNewEntry(std::string &id, const std::string &name) + { +- __isula_auto_free char *tmpId = NULL; + bool ret = false; + if (id.empty()) { ++ __isula_auto_free char *tmpId = NULL; + ret = id_name_manager_add_entry_with_new_id(name.c_str(), &tmpId); +- id = tmpId; ++ if (tmpId != NULL) { ++ id = tmpId; ++ } + } else { + ret = id_name_manager_add_entry_with_existing_id(id.c_str(), name.c_str()); + } +-- +2.25.1 + diff --git a/0004-ensure-isulad_io-not-NULL-before-close-fd.patch b/0004-ensure-isulad_io-not-NULL-before-close-fd.patch deleted file mode 100644 index 767a89ea317a96fc7575e338520e6e09d259616d..0000000000000000000000000000000000000000 --- a/0004-ensure-isulad_io-not-NULL-before-close-fd.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 2c651d3ed5e7d7d78338ce542e66ee9fb36a9275 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Sun, 14 May 2023 14:25:22 +0800 -Subject: [PATCH 4/9] ensure isulad_io not NULL before close fd - -Signed-off-by: zhongtao ---- - src/cmd/isulad-shim/process.c | 28 ++++++++++++++++------------ - 1 file changed, 16 insertions(+), 12 deletions(-) - -diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c -index 7716c288..6ad50c53 100644 ---- a/src/cmd/isulad-shim/process.c -+++ b/src/cmd/isulad-shim/process.c -@@ -194,6 +194,10 @@ static int stdin_cb(int fd, uint32_t events, void *cbdata, struct epoll_descr *d - } else { - fd_to = &(p->shim_io->in); - } -+ -+ if (fd_to == NULL || *fd_to == -1) { -+ return EPOLL_LOOP_HANDLE_CONTINUE; -+ } - w_count = write_nointr_in_total(*fd_to, p->buf, r_count); - if (w_count < 0) { - /* When any error occurs, set the write fd -1 */ -@@ -797,21 +801,21 @@ static int init_isulad_stdio(process_t *p) - return SHIM_OK; - failure: - if (p->isulad_io != NULL) { -+ if (p->isulad_io->in > 0) { -+ close(p->isulad_io->in); -+ } -+ if (p->isulad_io->out > 0) { -+ close(p->isulad_io->out); -+ } -+ if (p->isulad_io->err > 0) { -+ close(p->isulad_io->err); -+ } -+ if (p->isulad_io->resize > 0) { -+ close(p->isulad_io->resize); -+ } - free(p->isulad_io); - p->isulad_io = NULL; - } -- if (p->isulad_io->in > 0) { -- close(p->isulad_io->in); -- } -- if (p->isulad_io->out > 0) { -- close(p->isulad_io->out); -- } -- if (p->isulad_io->err > 0) { -- close(p->isulad_io->err); -- } -- if (p->isulad_io->resize > 0) { -- close(p->isulad_io->resize); -- } - return SHIM_ERR; - } - --- -2.40.1 - diff --git a/0005-2163-add-bind-mount-file-lock.patch b/0005-2163-add-bind-mount-file-lock.patch new file mode 100644 index 0000000000000000000000000000000000000000..4064815221fd3b3e7937db0a558eb6dc7b06207b --- /dev/null +++ b/0005-2163-add-bind-mount-file-lock.patch @@ -0,0 +1,936 @@ +From c1c5159675073450fe13906771cec6f666053380 Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Thu, 31 Aug 2023 13:14:02 +0000 +Subject: [PATCH 05/32] !2163 add bind mount file lock * add bind mount file + lock + +--- + src/cmd/isula/stream/cp.c | 66 ++++++- + src/cmd/isulad/main.c | 51 ++++++ + src/common/constants.h | 4 + + .../executor/container_cb/execution_stream.c | 23 ++- + src/daemon/modules/image/oci/oci_export.c | 13 +- + src/daemon/modules/image/oci/oci_load.c | 13 +- + .../graphdriver/devmapper/driver_devmapper.c | 12 +- + .../graphdriver/overlay2/driver_overlay2.c | 12 +- + src/utils/tar/isulad_tar.c | 16 +- + src/utils/tar/isulad_tar.h | 4 +- + src/utils/tar/util_archive.c | 163 +++++++++++++++--- + src/utils/tar/util_archive.h | 8 +- + 12 files changed, 332 insertions(+), 53 deletions(-) + +diff --git a/src/cmd/isula/stream/cp.c b/src/cmd/isula/stream/cp.c +index f0cd99c9..b1e3bbd6 100644 +--- a/src/cmd/isula/stream/cp.c ++++ b/src/cmd/isula/stream/cp.c +@@ -73,6 +73,44 @@ static void print_copy_from_container_error(const char *ops_err, const char *arc + } + } + ++static int client_get_root_dir(const isula_connect_ops *ops, const client_connect_config_t *config, char **root_dir) ++{ ++ int ret = 0; ++ struct isula_info_request request = { 0 }; ++ struct isula_info_response *response = NULL; ++ ++ response = util_common_calloc_s(sizeof(struct isula_info_response)); ++ if (response == NULL) { ++ COMMAND_ERROR("Info: Out of memory"); ++ return -1; ++ } ++ ++ if (!ops->container.info) { ++ COMMAND_ERROR("Unimplemented info op"); ++ ret = -1; ++ goto out; ++ } ++ ++ ret = ops->container.info(&request, response, (void *)config); ++ if (ret != 0) { ++ client_print_error(response->cc, response->server_errono, response->errmsg); ++ ret = -1; ++ goto out; ++ } ++ ++ if (response->isulad_root_dir == NULL) { ++ COMMAND_ERROR("None root dir"); ++ ret = -1; ++ goto out; ++ } ++ ++ *root_dir = util_strdup_s(response->isulad_root_dir); ++ ++out: ++ isula_info_response_free(response); ++ return ret; ++} ++ + static int client_copy_from_container(const struct client_arguments *args, const char *id, const char *srcpath, + const char *destpath) + { +@@ -84,6 +122,7 @@ static int client_copy_from_container(const struct client_arguments *args, const + char *archive_err = NULL; + char *ops_err = NULL; + char *resolved = NULL; ++ char *root_dir = NULL; + struct archive_copy_info *srcinfo = NULL; + client_connect_config_t config; + +@@ -92,18 +131,24 @@ static int client_copy_from_container(const struct client_arguments *args, const + COMMAND_ERROR("Unimplemented copy from container operation"); + return -1; + } ++ config = get_connect_config(args); ++ ++ ret = client_get_root_dir(ops, &config, &root_dir); ++ if (ret != 0) { ++ return -1; ++ } + + response = util_common_calloc_s(sizeof(struct isula_copy_from_container_response)); + if (response == NULL) { + ERROR("Event: Out of memory"); +- return -1; ++ ret = -1; ++ goto out; + } + + request.id = (char *)id; + request.runtime = args->runtime; + request.srcpath = (char *)srcpath; + +- config = get_connect_config(args); + ret = ops->container.copy_from_container(&request, response, &config); + if (ret) { + ops_err = (response->errmsg != NULL) ? util_strdup_s(response->errmsg) : NULL; +@@ -125,7 +170,7 @@ static int client_copy_from_container(const struct client_arguments *args, const + srcinfo->path = util_strdup_s(srcpath); + srcinfo->isdir = S_ISDIR(response->stat->mode); + +- nret = archive_copy_to(&response->reader, srcinfo, resolved, &archive_err); ++ nret = archive_copy_to(&response->reader, srcinfo, resolved, root_dir, &archive_err); + if (nret != 0) { + ret = nret; + } +@@ -137,6 +182,7 @@ static int client_copy_from_container(const struct client_arguments *args, const + + out: + print_copy_from_container_error(ops_err, archive_err, ret, args); ++ free(root_dir); + free(resolved); + free(archive_err); + free(ops_err); +@@ -167,6 +213,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c + int nret = 0; + char *archive_err = NULL; + char *resolved = NULL; ++ char *root_dir = NULL; + struct archive_copy_info *srcinfo = NULL; + struct io_read_wrapper archive_reader = { 0 }; + client_connect_config_t config = { 0 }; +@@ -176,11 +223,18 @@ static int client_copy_to_container(const struct client_arguments *args, const c + COMMAND_ERROR("Unimplemented copy to container operation"); + return -1; + } ++ config = get_connect_config(args); ++ ++ ret = client_get_root_dir(ops, &config, &root_dir); ++ if (ret != 0) { ++ return -1; ++ } + + response = util_common_calloc_s(sizeof(struct isula_copy_to_container_response)); + if (response == NULL) { + ERROR("Event: Out of memory"); +- return -1; ++ ret = -1; ++ goto out; + } + + request.id = (char *)id; +@@ -199,7 +253,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c + goto out; + } + +- nret = tar_resource(srcinfo, &archive_reader, &archive_err); ++ nret = tar_resource(srcinfo, root_dir, &archive_reader, &archive_err); + if (nret != 0) { + ret = -1; + goto out; +@@ -212,7 +266,6 @@ static int client_copy_to_container(const struct client_arguments *args, const c + request.reader.read = archive_reader.read; + request.reader.close = archive_reader.close; + +- config = get_connect_config(args); + ret = ops->container.copy_to_container(&request, response, &config); + + // archive reader close if copy to container failed +@@ -223,6 +276,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c + + out: + print_copy_to_container_error(response, archive_err, ret, args); ++ free(root_dir); + free(resolved); + free(archive_err); + free_archive_copy_info(srcinfo); +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index 681dcf03..b32b6626 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -72,6 +72,7 @@ + #include "utils_file.h" + #include "utils_string.h" + #include "utils_verify.h" ++#include "path.h" + #include "volume_api.h" + #ifndef DISABLE_CLEANUP + #include "leftover_cleanup_api.h" +@@ -1383,6 +1384,50 @@ out: + return ret; + } + ++static int create_mount_flock_file(const struct service_arguments *args) ++{ ++ int nret = 0; ++ int fd = -1; ++ char path[PATH_MAX] = { 0 }; ++ char cleanpath[PATH_MAX] = { 0 }; ++ ++ nret = snprintf(path, PATH_MAX, "%s/%s", args->json_confs->graph, MOUNT_FLOCK_FILE_PATH); ++ if (nret < 0 || (size_t)nret >= PATH_MAX) { ++ ERROR("Failed to snprintf"); ++ return -1; ++ } ++ ++ if (util_clean_path(path, cleanpath, sizeof(cleanpath)) == NULL) { ++ ERROR("clean path for %s failed", path); ++ return -1; ++ } ++ ++ if (util_fileself_exists(cleanpath)) { ++ int err = 0; ++ // recreate mount flock file ++ // and make file uid/gid and permission correct ++ if (!util_force_remove_file(cleanpath, &err)) { ++ ERROR("Failed to delete %s, error: %s. Please delete %s manually.", path, strerror(err), path); ++ return -1; ++ } ++ } ++ ++ fd = util_open(cleanpath, O_RDWR | O_CREAT, MOUNT_FLOCK_FILE_MODE); ++ if (fd < 0) { ++ ERROR("Failed to create file %s", cleanpath); ++ return -1; ++ } ++ close(fd); ++ ++ nret = util_set_file_group(cleanpath, args->json_confs->group); ++ if (nret < 0) { ++ ERROR("set group of the path %s failed", cleanpath); ++ return -1; ++ } ++ ++ return 0; ++} ++ + static int isulad_server_init_service() + { + int ret = -1; +@@ -1413,6 +1458,12 @@ static int isulad_server_init_service() + goto unlock_out; + } + ++ ret = create_mount_flock_file(args); ++ if (ret != 0) { ++ ERROR("Failed to create mount flock file"); ++ goto unlock_out; ++ } ++ + unlock_out: + if (isulad_server_conf_unlock()) { + ret = -1; +diff --git a/src/common/constants.h b/src/common/constants.h +index 409a83a1..d93bb464 100644 +--- a/src/common/constants.h ++++ b/src/common/constants.h +@@ -68,6 +68,8 @@ extern "C" { + + #define DEFAULT_HIGHEST_DIRECTORY_MODE 0755 + ++#define MOUNT_FLOCK_FILE_MODE 0660 ++ + #define ISULAD_CONFIG SYSCONFDIR_PREFIX"/etc/isulad" + + #define ISULAD_DAEMON_CONTAINER_CONTEXTS ISULAD_CONFIG "/container_contexts" +@@ -119,6 +121,8 @@ extern "C" { + #define OCI_VERSION "1.0.1" + #endif + ++#define MOUNT_FLOCK_FILE_PATH "isulad-chroot-mount.flock" ++ + #define OCI_IMAGE_GRAPH_ROOTPATH_NAME "storage" + + #ifdef ENABLE_GRPC_REMOTE_CONNECT +diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c +index 32721e68..244ec6a0 100644 +--- a/src/daemon/executor/container_cb/execution_stream.c ++++ b/src/daemon/executor/container_cb/execution_stream.c +@@ -62,6 +62,7 @@ + #include "utils.h" + #include "utils_file.h" + #include "utils_verify.h" ++#include "isulad_config.h" + + #if defined (__ANDROID__) || defined(__MUSL__) + #define SIG_CANCEL_SIGNAL SIGUSR1 +@@ -442,6 +443,7 @@ static int archive_and_send_copy_data(const stream_func_wrapper *stream, + char *absbase = NULL; + char *err = NULL; + char *buf = NULL; ++ char *root_dir = NULL; + char cleaned[PATH_MAX + 2] = { 0 }; + struct io_read_wrapper reader = { 0 }; + char *tar_path = NULL; +@@ -474,9 +476,15 @@ static int archive_and_send_copy_data(const stream_func_wrapper *stream, + goto cleanup; + } + ++ root_dir = conf_get_isulad_rootdir(); ++ if (root_dir == NULL) { ++ ERROR("Failed to get isulad rootdir"); ++ goto cleanup; ++ } ++ + DEBUG("archive chroot tar stream container_fs(%s) srcdir(%s) relative(%s) srcbase(%s) absbase(%s)", + container_fs, srcdir, tar_path, srcbase, absbase); +- nret = archive_chroot_tar_stream(container_fs, tar_path, srcbase, absbase, &reader); ++ nret = archive_chroot_tar_stream(container_fs, tar_path, srcbase, absbase, root_dir, &reader); + if (nret != 0) { + ERROR("Archive %s failed", resolvedpath); + goto cleanup; +@@ -504,6 +512,7 @@ cleanup: + free(srcdir); + free(srcbase); + free(absbase); ++ free(root_dir); + if (reader.close != NULL) { + int cret = reader.close(reader.context, &err); + if (err != NULL) { +@@ -776,15 +785,25 @@ static int read_and_extract_archive(stream_func_wrapper *stream, const char *con + { + int ret = -1; + char *err = NULL; ++ char *root_dir = NULL; + struct io_read_wrapper content = { 0 }; + content.context = stream; + content.read = extract_stream_to_io_read; +- ret = archive_chroot_untar_stream(&content, container_fs, dstdir_in_container, src_rebase, dst_rebase, &err); ++ ++ root_dir = conf_get_isulad_rootdir(); ++ if (root_dir == NULL) { ++ ERROR("Failed to get isulad rootdir"); ++ isulad_set_error_message("Failed to get isulad rootdir"); ++ return -1; ++ } ++ ++ ret = archive_chroot_untar_stream(&content, container_fs, dstdir_in_container, src_rebase, dst_rebase, root_dir, &err); + if (ret != 0) { + ERROR("Can not untar to container: %s", (err != NULL) ? err : "unknown"); + isulad_set_error_message("Can not untar to container: %s", (err != NULL) ? err : "unknown"); + } + free(err); ++ free(root_dir); + return ret; + } + +diff --git a/src/daemon/modules/image/oci/oci_export.c b/src/daemon/modules/image/oci/oci_export.c +index e27ed6d8..6bfcf4d5 100644 +--- a/src/daemon/modules/image/oci/oci_export.c ++++ b/src/daemon/modules/image/oci/oci_export.c +@@ -23,6 +23,7 @@ + #include "util_archive.h" + #include "path.h" + #include "utils_file.h" ++#include "isulad_config.h" + + int oci_do_export(char *id, char *file) + { +@@ -30,6 +31,7 @@ int oci_do_export(char *id, char *file) + int ret2 = 0; + char *mount_point = NULL; + char *errmsg = NULL; ++ char *root_dir = NULL; + char cleanpath[PATH_MAX] = { 0 }; + + if (id == NULL || file == NULL) { +@@ -56,7 +58,15 @@ int oci_do_export(char *id, char *file) + return -1; + } + +- ret = archive_chroot_tar(mount_point, cleanpath, &errmsg); ++ root_dir = conf_get_isulad_rootdir(); ++ if (root_dir == NULL) { ++ ERROR("Failed to get isulad rootdir"); ++ isulad_set_error_message("Failed to get isulad rootdir"); ++ ret = -1; ++ goto out; ++ } ++ ++ ret = archive_chroot_tar(mount_point, cleanpath, root_dir, &errmsg); + if (ret != 0) { + ERROR("failed to export container %s to file %s: %s", id, cleanpath, errmsg); + isulad_set_error_message("Failed to export rootfs with error: %s", errmsg); +@@ -68,6 +78,7 @@ out: + mount_point = NULL; + free(errmsg); + errmsg = NULL; ++ free(root_dir); + + ret2 = storage_rootfs_umount(id, false); + if (ret2 != 0) { +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index 04a9f947..4385e55e 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -41,6 +41,7 @@ + #include "utils_file.h" + #include "utils_verify.h" + #include "oci_image.h" ++#include "isulad_config.h" + + #define MANIFEST_BIG_DATA_KEY "manifest" + #define OCI_SCHEMA_VERSION 2 +@@ -1068,6 +1069,7 @@ int oci_do_load(const im_load_request *request) + char *digest = NULL; + char *dstdir = NULL; + char *err = NULL; ++ char *root_dir = NULL; + + if (request == NULL || request->file == NULL) { + ERROR("Invalid input arguments, cannot load image"); +@@ -1088,8 +1090,16 @@ int oci_do_load(const im_load_request *request) + goto out; + } + ++ root_dir = conf_get_isulad_rootdir(); ++ if (root_dir == NULL) { ++ ERROR("Failed to get isulad rootdir"); ++ isulad_try_set_error_message("Failed to get isulad rootdir"); ++ ret = -1; ++ goto out; ++ } ++ + options.whiteout_format = NONE_WHITEOUT_FORMATE; +- if (archive_unpack(&reader, dstdir, &options, &err) != 0) { ++ if (archive_unpack(&reader, dstdir, &options, root_dir, &err) != 0) { + ERROR("Failed to unpack to %s: %s", dstdir, err); + isulad_try_set_error_message("Failed to unpack to %s: %s", dstdir, err); + ret = -1; +@@ -1175,5 +1185,6 @@ out: + } + free(dstdir); + free(err); ++ free(root_dir); + return ret; + } +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c +index 998ea8c2..ecb62f79 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c +@@ -32,6 +32,7 @@ + #include "utils_file.h" + #include "utils_fs.h" + #include "utils_string.h" ++#include "isulad_config.h" + + struct io_read_wrapper; + +@@ -346,6 +347,7 @@ int devmapper_apply_diff(const char *id, const struct graphdriver *driver, const + int ret = 0; + struct archive_options options = { 0 }; + char *err = NULL; ++ char *root_dir = NULL; + + if (!util_valid_str(id) || driver == NULL || content == NULL) { + ERROR("invalid argument to apply diff with id(%s)", id); +@@ -366,8 +368,15 @@ int devmapper_apply_diff(const char *id, const struct graphdriver *driver, const + goto out; + } + ++ root_dir = conf_get_isulad_rootdir(); ++ if (root_dir == NULL) { ++ ERROR("Failed to get isulad rootdir"); ++ ret = -1; ++ goto umount_out; ++ } ++ + options.whiteout_format = REMOVE_WHITEOUT_FORMATE; +- if (archive_unpack(content, layer_fs, &options, &err) != 0) { ++ if (archive_unpack(content, layer_fs, &options, root_dir, &err) != 0) { + ERROR("devmapper: failed to unpack to %s: %s", layer_fs, err); + ret = -1; + goto umount_out; +@@ -384,6 +393,7 @@ out: + free_driver_mount_opts(mount_opts); + free(layer_fs); + free(err); ++ free(root_dir); + return ret; + } + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +index c5864c90..b177f594 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +@@ -45,6 +45,7 @@ + #include "utils_timestamp.h" + #include "selinux_label.h" + #include "err_msg.h" ++#include "isulad_config.h" + #ifdef ENABLE_REMOTE_LAYER_STORE + #include "ro_symlink_maintain.h" + #endif +@@ -1886,6 +1887,7 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const + char *layer_diff = NULL; + struct archive_options options = { 0 }; + char *err = NULL; ++ char *root_dir = NULL; + + if (id == NULL || driver == NULL || content == NULL) { + ERROR("invalid argument"); +@@ -1919,7 +1921,14 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const + } + #endif + +- ret = archive_unpack(content, layer_diff, &options, &err); ++ root_dir = conf_get_isulad_rootdir(); ++ if (root_dir == NULL) { ++ ERROR("Failed to get isulad rootdir"); ++ ret = -1; ++ goto out; ++ } ++ ++ ret = archive_unpack(content, layer_diff, &options, root_dir ,&err); + if (ret != 0) { + ERROR("Failed to unpack to %s: %s", layer_diff, err); + ret = -1; +@@ -1928,6 +1937,7 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const + + out: + free(err); ++ free(root_dir); + free(layer_dir); + free(layer_diff); + #ifdef ENABLE_USERNS_REMAP +diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c +index 74176b12..24269c70 100644 +--- a/src/utils/tar/isulad_tar.c ++++ b/src/utils/tar/isulad_tar.c +@@ -385,7 +385,7 @@ cleanup: + } + + int archive_copy_to(const struct io_read_wrapper *content, const struct archive_copy_info *srcinfo, +- const char *dstpath, char **err) ++ const char *dstpath, const char *root_dir, char **err) + { + int ret = -1; + struct archive_copy_info *dstinfo = NULL; +@@ -393,7 +393,7 @@ int archive_copy_to(const struct io_read_wrapper *content, const struct archive_ + char *src_base = NULL; + char *dst_base = NULL; + +- if (err == NULL || dstpath == NULL || srcinfo == NULL || content == NULL) { ++ if (err == NULL || dstpath == NULL || srcinfo == NULL || content == NULL || root_dir == NULL) { + return -1; + } + +@@ -409,7 +409,7 @@ int archive_copy_to(const struct io_read_wrapper *content, const struct archive_ + goto cleanup; + } + +- ret = archive_chroot_untar_stream(content, dstdir, ".", src_base, dst_base, err); ++ ret = archive_chroot_untar_stream(content, dstdir, ".", src_base, dst_base, root_dir, err); + + cleanup: + free_archive_copy_info(dstinfo); +@@ -419,7 +419,7 @@ cleanup: + return ret; + } + +-static int tar_resource_rebase(const char *path, const char *rebase, struct io_read_wrapper *archive_reader, char **err) ++static int tar_resource_rebase(const char *path, const char *rebase, const char *root_dir, struct io_read_wrapper *archive_reader, char **err) + { + int ret = -1; + int nret; +@@ -438,7 +438,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, struct io_r + } + + DEBUG("chroot tar stream srcdir(%s) srcbase(%s) rebase(%s)", srcdir, srcbase, rebase); +- nret = archive_chroot_tar_stream(srcdir, srcbase, srcbase, rebase, archive_reader); ++ nret = archive_chroot_tar_stream(srcdir, srcbase, srcbase, rebase, root_dir, archive_reader); + if (nret < 0) { + ERROR("Can not archive path: %s", path); + goto cleanup; +@@ -450,11 +450,11 @@ cleanup: + return ret; + } + +-int tar_resource(const struct archive_copy_info *info, struct io_read_wrapper *archive_reader, char **err) ++int tar_resource(const struct archive_copy_info *info, const char *root_dir, struct io_read_wrapper *archive_reader, char **err) + { +- if (info == NULL || archive_reader == NULL || err == NULL) { ++ if (info == NULL || root_dir == NULL || archive_reader == NULL || err == NULL) { + return -1; + } + +- return tar_resource_rebase(info->path, info->rebase_name, archive_reader, err); ++ return tar_resource_rebase(info->path, info->rebase_name, root_dir, archive_reader, err); + } +diff --git a/src/utils/tar/isulad_tar.h b/src/utils/tar/isulad_tar.h +index cdd9858a..414bb024 100644 +--- a/src/utils/tar/isulad_tar.h ++++ b/src/utils/tar/isulad_tar.h +@@ -43,10 +43,10 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li + char *prepare_archive_copy(const struct archive_copy_info *srcinfo, const struct archive_copy_info *dstinfo, + char **src_base, char **dst_base, char **err); + +-int tar_resource(const struct archive_copy_info *info, struct io_read_wrapper *archive_reader, char **err); ++int tar_resource(const struct archive_copy_info *info, const char *root_dir, struct io_read_wrapper *archive_reader, char **err); + + int archive_copy_to(const struct io_read_wrapper *content, const struct archive_copy_info *srcinfo, +- const char *dstpath, char **err); ++ const char *dstpath, const char *root_dir, char **err); + + #ifdef __cplusplus + } +diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c +index 0fb7769b..d2fc5488 100644 +--- a/src/utils/tar/util_archive.c ++++ b/src/utils/tar/util_archive.c +@@ -33,10 +33,12 @@ + #include + #include + #include ++#include + + #include + #include + #include ++#include + + #include "error.h" + #include "map.h" +@@ -83,6 +85,31 @@ static ssize_t read_content(struct archive *a, void *client_data, const void **b + return mydata->content->read(mydata->content->context, mydata->buff, sizeof(mydata->buff)); + } + ++static char *generate_flock_path(const char *root_dir) ++{ ++ int nret = 0; ++ char path[PATH_MAX] = { 0 }; ++ char cleanpath[PATH_MAX] = { 0 }; ++ ++ nret = snprintf(path, PATH_MAX, "%s/%s", root_dir, MOUNT_FLOCK_FILE_PATH); ++ if (nret < 0 || (size_t)nret >= PATH_MAX) { ++ ERROR("Failed to snprintf"); ++ return NULL; ++ } ++ ++ if (util_clean_path(path, cleanpath, sizeof(cleanpath)) == NULL) { ++ ERROR("clean path for %s failed", path); ++ return NULL; ++ } ++ ++ if (!util_file_exists(cleanpath)) { ++ ERROR("flock file %s doesn't exist", cleanpath); ++ return NULL; ++ } ++ ++ return util_strdup_s(cleanpath); ++} ++ + static void do_disable_unneccessary_caps() + { + cap_t caps; +@@ -104,7 +131,58 @@ static void do_disable_unneccessary_caps() + cap_free(caps); + } + +-static int make_safedir_is_noexec(const char *dstdir, char **safe_dir) ++// Add flock when bind mount and make it private. ++// Because bind mount usually makes safedir shared mount point, ++// and sometimes it will cause "mount point explosion". ++// E.g. concurrently execute isula cp /tmp/ : ++static int bind_mount_with_flock(const char *flock_path, const char *dstdir, const char *tmp_dir) ++{ ++ __isula_auto_close int fd = -1; ++ int ret = -1; ++ ++ fd = open(flock_path, O_RDWR | O_CLOEXEC); ++ if (fd < 0) { ++ SYSERROR("Failed to open file %s", flock_path); ++ return -1; ++ } ++ ++ if (flock(fd, LOCK_EX) != 0) { ++ SYSERROR("Failed to lock file %s", flock_path); ++ return -1; ++ } ++ ++ if (mount(dstdir, tmp_dir, "none", MS_BIND, NULL) != 0) { ++ SYSERROR("Mount safe dir failed"); ++ goto unlock_out; ++ } ++ ++ if (mount(tmp_dir, tmp_dir, "none", MS_BIND | MS_REMOUNT | MS_NOEXEC, NULL) != 0) { ++ SYSERROR("Mount safe dir failed"); ++ if (umount(tmp_dir) != 0) { ++ SYSERROR("Failed to umount target %s", tmp_dir); ++ } ++ goto unlock_out; ++ } ++ ++ // Change the propagation type. ++ if (mount("", tmp_dir, "", MS_PRIVATE, "") != 0) { ++ SYSERROR("Failed to change the propagation type"); ++ if (umount(tmp_dir) != 0) { ++ SYSERROR("Failed to umount target %s", tmp_dir); ++ } ++ goto unlock_out; ++ } ++ ++ ret = 0; ++ ++unlock_out: ++ if (flock(fd, LOCK_UN) != 0) { ++ SYSERROR("Failed to unlock file %s", flock_path); ++ } ++ return ret; ++} ++ ++static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, char **safe_dir) + { + struct stat buf; + char *isulad_tmpdir_env = NULL; +@@ -156,19 +234,8 @@ static int make_safedir_is_noexec(const char *dstdir, char **safe_dir) + return -1; + } + +- if (mount(dstdir, tmp_dir, "none", MS_BIND, NULL) != 0) { +- SYSERROR("Mount safe dir failed"); +- if (util_path_remove(tmp_dir) != 0) { +- ERROR("Failed to remove path %s", tmp_dir); +- } +- return -1; +- } +- +- if (mount(tmp_dir, tmp_dir, "none", MS_BIND | MS_REMOUNT | MS_NOEXEC, NULL) != 0) { +- SYSERROR("Mount safe dir failed"); +- if (umount(tmp_dir) != 0) { +- ERROR("Failed to umount target %s", tmp_dir); +- } ++ if (bind_mount_with_flock(flock_path, dstdir, tmp_dir) != 0) { ++ ERROR("Failed to bind mount from %s to %s with flock", dstdir, tmp_dir); + if (util_path_remove(tmp_dir) != 0) { + ERROR("Failed to remove path %s", tmp_dir); + } +@@ -723,7 +790,7 @@ static void set_child_process_pdeathsig(void) + } + + int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, const struct archive_options *options, +- char **errmsg) ++ const char *root_dir, char **errmsg) + { + int ret = 0; + pid_t pid = -1; +@@ -731,12 +798,24 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co + int pipe_stderr[2] = { -1, -1 }; + char errbuf[BUFSIZ + 1] = { 0 }; + char *safe_dir = NULL; ++ char *flock_path = NULL; + +- if (make_safedir_is_noexec(dstdir, &safe_dir) != 0) { +- ERROR("Prepare safe dir failed"); ++ if (content == NULL || dstdir == NULL || options == NULL || root_dir == NULL) { + return -1; + } + ++ flock_path = generate_flock_path(root_dir); ++ if (flock_path == NULL) { ++ ERROR("Failed to generate flock path"); ++ return -1; ++ } ++ ++ if (make_safedir_is_noexec(flock_path, dstdir, &safe_dir) != 0) { ++ ERROR("Prepare safe dir failed"); ++ ret = -1; ++ goto cleanup; ++ } ++ + if (pipe2(pipe_stderr, O_CLOEXEC) != 0) { + ERROR("Failed to create pipe"); + ret = -1; +@@ -816,6 +895,7 @@ cleanup: + ERROR("Failed to remove path %s", safe_dir); + } + free(safe_dir); ++ free(flock_path); + return ret; + } + +@@ -1126,7 +1206,7 @@ static ssize_t fd_write(void *context, const void *data, size_t len) + return util_write_nointr(*(int *)context, data, len); + } + +-int archive_chroot_tar(char *path, char *file, char **errmsg) ++int archive_chroot_tar(const char *path, const char *file, const char *root_dir, char **errmsg) + { + struct io_write_wrapper pipe_context = { 0 }; + int ret = 0; +@@ -1136,12 +1216,24 @@ int archive_chroot_tar(char *path, char *file, char **errmsg) + char errbuf[BUFSIZ + 1] = { 0 }; + int fd = 0; + char *safe_dir = NULL; ++ char *flock_path = NULL; + +- if (make_safedir_is_noexec(path, &safe_dir) != 0) { +- ERROR("Prepare safe dir failed"); ++ if (path == NULL || file == NULL || root_dir == NULL) { ++ return -1; ++ } ++ ++ flock_path = generate_flock_path(root_dir); ++ if (flock_path == NULL) { ++ ERROR("Failed to generate flock path"); + return -1; + } + ++ if (make_safedir_is_noexec(flock_path, path, &safe_dir) != 0) { ++ ERROR("Prepare safe dir failed"); ++ ret = -1; ++ goto cleanup; ++ } ++ + if (pipe2(pipe_for_read, O_CLOEXEC) != 0) { + ERROR("Failed to create pipe"); + ret = -1; +@@ -1232,6 +1324,7 @@ cleanup: + ERROR("Failed to remove path %s", safe_dir); + } + free(safe_dir); ++ free(flock_path); + return ret; + } + +@@ -1352,7 +1445,7 @@ static int archive_context_close(void *context, char **err) + } + + int archive_chroot_untar_stream(const struct io_read_wrapper *context, const char *chroot_dir, const char *untar_dir, +- const char *src_base, const char *dst_base, char **errmsg) ++ const char *src_base, const char *dst_base, const char *root_dir, char **errmsg) + { + struct io_read_wrapper pipe_context = { 0 }; + int pipe_stream[2] = { -1, -1 }; +@@ -1370,12 +1463,19 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha + .dst_base = dst_base + }; + char *safe_dir = NULL; ++ char *flock_path = NULL; + +- if (make_safedir_is_noexec(chroot_dir, &safe_dir) != 0) { +- ERROR("Prepare safe dir failed"); ++ flock_path = generate_flock_path(root_dir); ++ if (flock_path == NULL) { ++ ERROR("Failed to generate flock path"); + return -1; + } + ++ if (make_safedir_is_noexec(flock_path, chroot_dir, &safe_dir) != 0) { ++ ERROR("Prepare safe dir failed"); ++ goto cleanup; ++ } ++ + if (pipe(pipe_stderr) != 0) { + ERROR("Failed to create pipe: %s", strerror(errno)); + goto cleanup; +@@ -1483,12 +1583,13 @@ cleanup: + ERROR("Failed to remove path %s", safe_dir); + } + free(safe_dir); ++ free(flock_path); + + return ret; + } + + int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, const char *src_base, const char *dst_base, +- struct io_read_wrapper *reader) ++ const char *root_dir, struct io_read_wrapper *reader) + { + struct io_write_wrapper pipe_context = { 0 }; + int keepfds[] = { -1, -1, -1 }; +@@ -1498,12 +1599,19 @@ int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, cons + pid_t pid; + struct archive_context *ctx = NULL; + char *safe_dir = NULL; ++ char *flock_path = NULL; + +- if (make_safedir_is_noexec(chroot_dir, &safe_dir) != 0) { +- ERROR("Prepare safe dir failed"); ++ flock_path = generate_flock_path(root_dir); ++ if (flock_path == NULL) { ++ ERROR("Failed to generate flock path"); + return -1; + } + ++ if (make_safedir_is_noexec(flock_path, chroot_dir, &safe_dir) != 0) { ++ ERROR("Prepare safe dir failed"); ++ goto free_out; ++ } ++ + if (pipe(pipe_stderr) != 0) { + ERROR("Failed to create pipe: %s", strerror(errno)); + goto free_out; +@@ -1607,6 +1715,7 @@ free_out: + close_archive_pipes_fd(pipe_stderr, 2); + close_archive_pipes_fd(pipe_stream, 2); + free(ctx); ++ free(flock_path); + if (safe_dir != NULL) { + if (umount(safe_dir) != 0) { + ERROR("Failed to umount target %s", safe_dir); +@@ -1848,4 +1957,4 @@ int archive_copy_oci_tar_split_and_ret_size(int src_fd, const char *dist_file, i + } + + return foreach_archive_entry(archive_entry_parse, src_fd, dist_file, ret_size); +-} +\ No newline at end of file ++} +diff --git a/src/utils/tar/util_archive.h b/src/utils/tar/util_archive.h +index 5cc2c5ec..8f0ab2a4 100644 +--- a/src/utils/tar/util_archive.h ++++ b/src/utils/tar/util_archive.h +@@ -45,17 +45,17 @@ struct archive_options { + }; + + int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, const struct archive_options *options, +- char **errmsg); ++ const char *root_dir, char **errmsg); + + bool valid_archive_format(const char *file); + +-int archive_chroot_tar(char *path, char *file, char **errmsg); ++int archive_chroot_tar(const char *path, const char *file, const char *root_dir, char **errmsg); + + int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, const char *src_base, +- const char *dst_base, struct io_read_wrapper *content); ++ const char *dst_base, const char *root_dir, struct io_read_wrapper *content); + int archive_chroot_untar_stream(const struct io_read_wrapper *content, const char *chroot_dir, + const char *untar_dir, const char *src_base, const char *dst_base, +- char **errmsg); ++ const char *root_dir, char **errmsg); + + int archive_copy_oci_tar_split_and_ret_size(int src_fd, const char *dist_file, int64_t *ret_size); + +-- +2.25.1 + diff --git a/0005-recheck-delete-command-exit-status.patch b/0005-recheck-delete-command-exit-status.patch deleted file mode 100644 index 864a7bdaaf8530c1f8286aa2e7d788e9f0b19d00..0000000000000000000000000000000000000000 --- a/0005-recheck-delete-command-exit-status.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 57921deef3849f519b3fffdcf76184144ba54fb3 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Tue, 16 May 2023 15:16:13 +0800 -Subject: [PATCH 5/9] recheck delete command exit status - -Signed-off-by: zhongtao ---- - .../modules/runtime/isula/isula_rt_ops.c | 24 ++++++++++++------- - 1 file changed, 15 insertions(+), 9 deletions(-) - -diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c -index 9008c5c7..07f714f0 100644 ---- a/src/daemon/modules/runtime/isula/isula_rt_ops.c -+++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c -@@ -635,9 +635,9 @@ static int runtime_call_simple(const char *workdir, const char *runtime, const c - } - - // oci runtime return -1 if the container 'does not exist' --// if output contains 'does not exist', means nothing to kill, return 0 --// this will change the exit status of kill command --static int kill_output_check(const char *output) -+// if output contains 'does not exist', means nothing to kill or delete, return 0 -+// this will change the exit status of kill or delete command -+static int non_existent_output_check(const char *output) - { - char *pattern = "does not exist"; - -@@ -645,24 +645,24 @@ static int kill_output_check(const char *output) - return -1; - } - -- // container not exist, kill success, return 0 -+ // container not exist, kill or delete success, return 0 - if (util_strings_contains_word(output, pattern)) { - return 0; - } - -- // kill failed, return -1 -+ // kill or delete failed, return -1 - return -1; - } - --// kill success or kill_output_check succeed return 0, DO_RETRY_CALL will break; -+// kill success or non_existent_output_check succeed return 0, DO_RETRY_CALL will break; - // if kill failed, recheck on shim alive, if not alive, kill succeed, still return 0; - // else, return -1, DO_RETRY_CALL will call this again; - static int runtime_call_kill_and_check(const char *workdir, const char *runtime, const char *id) - { - int ret = -1; - -- // kill succeed, return 0; kill_output_check succeed, return 0; -- ret = runtime_call_simple(workdir, runtime, "kill", NULL, 0, id, kill_output_check); -+ // kill succeed, return 0; non_existent_output_check succeed, return 0; -+ ret = runtime_call_simple(workdir, runtime, "kill", NULL, 0, id, non_existent_output_check); - if (ret == 0) { - return 0; - } -@@ -677,7 +677,13 @@ static int runtime_call_kill_and_check(const char *workdir, const char *runtime, - static int runtime_call_delete_force(const char *workdir, const char *runtime, const char *id) - { - const char *opts[1] = { "--force" }; -- return runtime_call_simple(workdir, runtime, "delete", opts, 1, id, NULL); -+ // delete succeed, return 0; -+ // When the runc version is less than or equal to v1.0.0-rc3, -+ // if the container does not exist when force deleting it, -+ // runc will report an error and isulad does not need to retry the deletion again. -+ // related PR ID:d1a743674a98e23d348b29f52c43436356f56b79 -+ // non_existent_output_check succeed, return 0; -+ return runtime_call_simple(workdir, runtime, "delete", opts, 1, id, non_existent_output_check); - } - - #define ExitSignalOffset 128 --- -2.40.1 - diff --git a/0006-2168-fix-code-bug.patch b/0006-2168-fix-code-bug.patch new file mode 100644 index 0000000000000000000000000000000000000000..68d3dacc00ad7dc8e0eea4f0b8206c18ab9e15ec --- /dev/null +++ b/0006-2168-fix-code-bug.patch @@ -0,0 +1,1054 @@ +From f6c1ec5c8603124511c7a726a487757609a1d7a5 Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Tue, 5 Sep 2023 02:15:57 +0000 +Subject: [PATCH 06/32] !2168 fix code bug * fix code bug + +--- + src/daemon/common/events_format.c | 6 +- + src/daemon/common/selinux_label.c | 22 +- + src/daemon/common/selinux_label.h | 8 +- + src/daemon/config/isulad_config.c | 276 ++++++++++-------- + src/daemon/config/isulad_config.h | 62 ++-- + src/daemon/executor/container_cb/execution.c | 4 +- + .../executor/container_cb/execution_create.c | 2 +- + .../executor/container_cb/execution_network.c | 9 + + .../executor/container_cb/execution_stream.h | 6 +- + src/daemon/executor/container_cb/list.c | 4 +- + src/daemon/executor/image_cb/image_cb.c | 18 +- + 11 files changed, 233 insertions(+), 184 deletions(-) + +diff --git a/src/daemon/common/events_format.c b/src/daemon/common/events_format.c +index e5ceab92..514b060e 100644 +--- a/src/daemon/common/events_format.c ++++ b/src/daemon/common/events_format.c +@@ -83,7 +83,11 @@ struct isulad_events_format *dup_event(const struct isulad_events_format *event) + return NULL; + } + +- event_copy(event, out); ++ if (event_copy(event, out) != 0) { ++ ERROR("Failed to copy event"); ++ isulad_events_format_free(out); ++ return NULL; ++ } + + return out; + } +diff --git a/src/daemon/common/selinux_label.c b/src/daemon/common/selinux_label.c +index 585a5e35..e6527bd0 100644 +--- a/src/daemon/common/selinux_label.c ++++ b/src/daemon/common/selinux_label.c +@@ -247,7 +247,7 @@ static int get_current_label(char **content) + return read_con(path, content); + } + +-bool selinux_get_enable() ++bool selinux_get_enable(void) + { + bool enabled_set = false; + bool enabled = false; +@@ -295,7 +295,7 @@ bool selinux_get_enable() + } + + // just disable selinux support for iSulad +-void selinux_set_disabled() ++void selinux_set_disabled(void) + { + (void)set_state_enable(false); + } +@@ -376,9 +376,10 @@ int selinux_state_init(void) + return 0; + } + +-void selinux_state_free() ++void selinux_state_free(void) + { + do_selinux_state_free(g_selinux_state); ++ g_selinux_state = NULL; + } + + /* MCS already exists */ +@@ -986,6 +987,11 @@ int relabel(const char *path, const char *file_label, bool shared) + return 0; + } + ++ if (path == NULL) { ++ ERROR("Empty arguments"); ++ return -1; ++ } ++ + tmp_file_label = util_strdup_s(file_label); + if (is_exclude_relabel_path(path)) { + ERROR("SELinux relabeling of %s is not allowed", path); +@@ -1059,6 +1065,11 @@ int dup_security_opt(const char *src, char ***dst, size_t *len) + return 0; + } + ++ if (dst == NULL || len == NULL) { ++ ERROR("Empty arguments"); ++ return -1; ++ } ++ + context_t con = context_new(src); + if (con == NULL) { + ERROR("context new failed"); +@@ -1107,6 +1118,11 @@ out: + + int get_disable_security_opt(char ***labels, size_t *labels_len) + { ++ if (labels == NULL || labels_len == NULL) { ++ ERROR("Empty arguments"); ++ return -1; ++ } ++ + if (util_array_append(labels, "disable") != 0) { + ERROR("Failed to append label"); + return -1; +diff --git a/src/daemon/common/selinux_label.h b/src/daemon/common/selinux_label.h +index 625e94c3..4a3c03d4 100644 +--- a/src/daemon/common/selinux_label.h ++++ b/src/daemon/common/selinux_label.h +@@ -24,14 +24,14 @@ extern "C" { + #endif + + int selinux_state_init(void); +-void selinux_set_disabled(); +-bool selinux_get_enable(); +-int init_label(const char **label_opts, size_t label_opts_len, char **process_label, char **mount_label); ++void selinux_set_disabled(void); ++bool selinux_get_enable(void); ++int init_label(const char **label_opts, size_t label_opts_len, char **dst_process_label, char **dst_mount_label); + int relabel(const char *path, const char *file_label, bool shared); + int get_disable_security_opt(char ***labels, size_t *labels_len); + int dup_security_opt(const char *src, char ***dst, size_t *len); + char *selinux_format_mountlabel(const char *src, const char *mount_label); +-void selinux_state_free(); ++void selinux_state_free(void); + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c +index 269ab310..f600f0cf 100644 +--- a/src/daemon/config/isulad_config.c ++++ b/src/daemon/config/isulad_config.c +@@ -125,7 +125,7 @@ out: + } + + /* isulad server conf wrlock */ +-int isulad_server_conf_wrlock() ++int isulad_server_conf_wrlock(void) + { + int ret = 0; + +@@ -138,7 +138,7 @@ int isulad_server_conf_wrlock() + } + + /* isulad server conf rdlock */ +-int isulad_server_conf_rdlock() ++int isulad_server_conf_rdlock(void) + { + int ret = 0; + +@@ -151,7 +151,7 @@ int isulad_server_conf_rdlock() + } + + /* isulad server conf unlock */ +-int isulad_server_conf_unlock() ++int isulad_server_conf_unlock(void) + { + int ret = 0; + +@@ -163,13 +163,13 @@ int isulad_server_conf_unlock() + return ret; + } + +-struct service_arguments *conf_get_server_conf() ++struct service_arguments *conf_get_server_conf(void) + { + return g_isulad_conf.server_conf; + } + + /* conf get isulad pidfile */ +-char *conf_get_isulad_pidfile() ++char *conf_get_isulad_pidfile(void) + { + char *filename = NULL; + struct service_arguments *conf = NULL; +@@ -191,7 +191,7 @@ out: + } + + /* conf get engine rootpath */ +-char *conf_get_engine_rootpath() ++char *conf_get_engine_rootpath(void) + { + char *epath = NULL; + char *rootpath = NULL; +@@ -238,7 +238,7 @@ int conf_get_cgroup_cpu_rt(int64_t *cpu_rt_period, int64_t *cpu_rt_runtime) + } + + conf = conf_get_server_conf(); +- if (conf == NULL) { ++ if (conf == NULL || conf->json_confs == NULL) { + (void)isulad_server_conf_unlock(); + return -1; + } +@@ -254,7 +254,7 @@ int conf_get_cgroup_cpu_rt(int64_t *cpu_rt_period, int64_t *cpu_rt_runtime) + } + + /* conf get graph checked flag file path */ +-char *conf_get_graph_check_flag_file() ++char *conf_get_graph_check_flag_file(void) + { + char *epath = NULL; + char *rootpath = NULL; +@@ -307,7 +307,7 @@ char *conf_get_routine_rootdir(const char *runtime) + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->graph == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->graph == NULL) { + ERROR("Server conf is NULL or rootpath is NULL"); + goto out; + } +@@ -357,7 +357,7 @@ char *conf_get_routine_statedir(const char *runtime) + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->state == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->state == NULL) { + goto out; + } + +@@ -460,7 +460,7 @@ out: + #endif + + /* conf get isulad rootdir */ +-char *conf_get_isulad_rootdir() ++char *conf_get_isulad_rootdir(void) + { + char *path = NULL; + struct service_arguments *conf = NULL; +@@ -470,7 +470,7 @@ char *conf_get_isulad_rootdir() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->graph == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->graph == NULL) { + goto out; + } + +@@ -482,7 +482,7 @@ out: + } + + /* conf get registry */ +-char **conf_get_registry_list() ++char **conf_get_registry_list(void) + { + int nret = 0; + size_t i; +@@ -495,7 +495,7 @@ char **conf_get_registry_list() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->registry_mirrors_len == 0) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->registry_mirrors_len == 0) { + goto out; + } + +@@ -518,7 +518,7 @@ out: + } + + /* conf get insecure registry */ +-char **conf_get_insecure_registry_list() ++char **conf_get_insecure_registry_list(void) + { + int nret = 0; + size_t i; +@@ -531,7 +531,7 @@ char **conf_get_insecure_registry_list() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->insecure_registries_len == 0) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->insecure_registries_len == 0) { + goto out; + } + +@@ -554,7 +554,7 @@ out: + } + + /* conf get isulad statedir */ +-char *conf_get_isulad_statedir() ++char *conf_get_isulad_statedir(void) + { + char *path = NULL; + struct service_arguments *conf = NULL; +@@ -564,7 +564,7 @@ char *conf_get_isulad_statedir() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->state == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->state == NULL) { + goto out; + } + +@@ -576,7 +576,7 @@ out: + } + + /* isulad monitor fifo name */ +-char *conf_get_isulad_monitor_fifo_path() ++char *conf_get_isulad_monitor_fifo_path(void) + { + int ret; + char fifo_file_path[PATH_MAX] = { 0 }; +@@ -631,7 +631,7 @@ static char *get_parent_mount_dir(char *graph) + } + + /* conf get isulad mount rootfs */ +-char *conf_get_isulad_mount_rootfs() ++char *conf_get_isulad_mount_rootfs(void) + { + char *path = NULL; + struct service_arguments *conf = NULL; +@@ -653,7 +653,7 @@ out: + } + + /* conf get isulad umask for containers */ +-char *conf_get_isulad_native_umask() ++char *conf_get_isulad_native_umask(void) + { + char *umask = NULL; + struct service_arguments *conf = NULL; +@@ -663,7 +663,7 @@ char *conf_get_isulad_native_umask() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->native_umask == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->native_umask == NULL) { + goto out; + } + +@@ -675,7 +675,7 @@ out: + } + + /* conf get isulad cgroup parent for containers */ +-char *conf_get_isulad_cgroup_parent() ++char *conf_get_isulad_cgroup_parent(void) + { + char *cgroup_parent = NULL; + struct service_arguments *conf = NULL; +@@ -685,7 +685,7 @@ char *conf_get_isulad_cgroup_parent() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->cgroup_parent == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->cgroup_parent == NULL) { + goto out; + } + +@@ -697,7 +697,7 @@ out: + } + + /* conf get isulad loglevel */ +-char *conf_get_isulad_loglevel() ++char *conf_get_isulad_loglevel(void) + { + char *loglevel = NULL; + struct service_arguments *conf = NULL; +@@ -707,7 +707,7 @@ char *conf_get_isulad_loglevel() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->log_level == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->log_level == NULL) { + goto out; + } + +@@ -725,7 +725,7 @@ char *get_log_file_helper(const struct service_arguments *conf, const char *suff + size_t len = 0; + int nret = 0; + +- if (suffix == NULL) { ++ if (conf == NULL || suffix == NULL) { + return NULL; + } + +@@ -757,7 +757,7 @@ out: + } + + /* conf get isulad log gather fifo path */ +-char *conf_get_isulad_log_gather_fifo_path() ++char *conf_get_isulad_log_gather_fifo_path(void) + { + #define LOG_GATHER_FIFO_NAME "/isulad_log_gather_fifo" + char *logfile = NULL; +@@ -796,7 +796,7 @@ out: + } + + /* conf get isulad log file */ +-char *conf_get_isulad_log_file() ++char *conf_get_isulad_log_file(void) + { + char *logfile = NULL; + struct service_arguments *conf = NULL; +@@ -818,7 +818,7 @@ out: + } + + /* conf get engine log file */ +-char *conf_get_engine_log_file() ++char *conf_get_engine_log_file(void) + { + char *logfile = NULL; + char *full_path = NULL; +@@ -885,7 +885,7 @@ int conf_get_daemon_log_config(char **loglevel, char **logdriver, char **engine_ + } + + /* conf get isulad logdriver */ +-char *conf_get_isulad_logdriver() ++char *conf_get_isulad_logdriver(void) + { + char *logdriver = NULL; + struct service_arguments *conf = NULL; +@@ -895,7 +895,7 @@ char *conf_get_isulad_logdriver() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->log_driver == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->log_driver == NULL) { + goto out; + } + +@@ -915,12 +915,17 @@ int conf_get_container_log_opts(isulad_daemon_configs_container_log **opts) + size_t i; + int ret = 0; + ++ if (opts == NULL) { ++ ERROR("Empty arguments"); ++ return -1; ++ } ++ + if (isulad_server_conf_rdlock() != 0) { + return -1; + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->container_log == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->container_log == NULL) { + goto out; + } + work = conf->json_confs->container_log; +@@ -962,7 +967,7 @@ out: + } + + /* conf get image layer check flag */ +-bool conf_get_image_layer_check_flag() ++bool conf_get_image_layer_check_flag(void) + { + bool check_flag = false; + struct service_arguments *conf = NULL; +@@ -972,7 +977,7 @@ bool conf_get_image_layer_check_flag() + } + + conf = conf_get_server_conf(); +- if (conf == NULL) { ++ if (conf == NULL || conf->json_confs == NULL) { + goto out; + } + +@@ -984,7 +989,7 @@ out: + } + + /* conf get flag of use decrypted key to pull image */ +-bool conf_get_use_decrypted_key_flag() ++bool conf_get_use_decrypted_key_flag(void) + { + bool check_flag = true; + struct service_arguments *conf = NULL; +@@ -994,7 +999,7 @@ bool conf_get_use_decrypted_key_flag() + } + + conf = conf_get_server_conf(); +- if (conf == NULL || conf->json_confs->use_decrypted_key == NULL) { ++ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->use_decrypted_key == NULL) { + goto out; + } + +@@ -1005,7 +1010,7 @@ out: + return check_flag; + } + +-bool conf_get_skip_insecure_verify_flag() ++bool conf_get_skip_insecure_verify_flag(void) + { + bool check_flag = false; + struct service_arguments *conf = NULL; +@@ -1015,7 +1020,7 @@ bool conf_get_skip_insecure_verify_flag() + } + + conf = conf_get_server_conf(); +- if (conf == NULL) { ++ if (conf == NULL || conf->json_confs == NULL) { + goto out; + } + +@@ -1026,69 +1031,86 @@ out: + return check_flag; + } + +-#define OCI_STR_ARRAY_DUP(src, dest, srclen, destlen, ret) \ +- do { \ +- if ((src) != NULL) { \ +- (dest) = util_str_array_dup((const char **)(src), (srclen)); \ +- if ((dest) == NULL) { \ +- (ret) = -1; \ +- goto out; \ +- } \ +- (destlen) = (srclen); \ +- } \ +- } while (0) +- +-#define HOOKS_ELEM_DUP_DEF(item) \ +- defs_hook *hooks_##item##_elem_dup(const defs_hook *src) \ +- { \ +- int ret = 0; \ +- defs_hook *dest = NULL; \ +- if (src == NULL) \ +- return NULL; \ +- dest = util_common_calloc_s(sizeof(defs_hook)); \ +- if (dest == NULL) \ +- return NULL; \ +- dest->path = util_strdup_s(src->path); \ +- OCI_STR_ARRAY_DUP(src->args, dest->args, src->args_len, dest->args_len, ret); \ +- OCI_STR_ARRAY_DUP(src->env, dest->env, src->env_len, dest->env_len, ret); \ +- dest->timeout = src->timeout; \ +- out: \ +- if (ret != 0 && dest != NULL) { \ +- free_defs_hook(dest); \ +- dest = NULL; \ +- } \ +- return dest; \ +- } +- +-/* HOOKS ELEM DUP DEF */ +-HOOKS_ELEM_DUP_DEF(prestart) +-/* HOOKS ELEM DUP DEF */ +-HOOKS_ELEM_DUP_DEF(poststart) +-/* HOOKS ELEM DUP DEF */ +-HOOKS_ELEM_DUP_DEF(poststop) +- +-#define HOOKS_ITEM_DUP_DEF(item) \ +- int hooks_##item##_dup(oci_runtime_spec_hooks *dest, const oci_runtime_spec_hooks *src) \ +- { \ +- int i = 0; \ +- dest->item = util_smart_calloc_s(sizeof(defs_hook *), (src->item##_len + 1)); \ +- if (dest->item == NULL) \ +- return -1; \ +- dest->item##_len = src->item##_len; \ +- for (; (size_t)i < src->item##_len; ++i) { \ +- dest->item[i] = hooks_##item##_elem_dup(src->item[i]); \ +- if (dest->item[i] == NULL) \ +- return -1; \ +- } \ +- return 0; \ +- } +- +-/* HOOKS ITEM DUP DEF */ +-HOOKS_ITEM_DUP_DEF(prestart) +-/* HOOKS ITEM DUP DEF */ +-HOOKS_ITEM_DUP_DEF(poststart) +-/* HOOKS ITEM DUP DEF */ +-HOOKS_ITEM_DUP_DEF(poststop) ++static defs_hook *hooks_elem_dup(const defs_hook *src) ++{ ++ defs_hook *dest = NULL; ++ ++ if (src == NULL) { ++ return NULL; ++ } ++ ++ dest = (defs_hook *)util_common_calloc_s(sizeof(defs_hook)); ++ if (dest == NULL) { ++ ERROR("Out of memory"); ++ return NULL; ++ } ++ ++ dest->path = util_strdup_s(src->path); ++ dest->timeout = src->timeout; ++ ++ if (src->args_len != 0) { ++ dest->args = util_str_array_dup((const char **)(src->args), src->args_len); ++ if (dest->args == NULL) { ++ ERROR("Failed to duplicate string array"); ++ goto err_out; ++ } ++ dest->args_len = src->args_len; ++ } ++ ++ if (src->env_len != 0) { ++ dest->env = util_str_array_dup((const char **)(src->env), src->env_len); ++ if (dest->env == NULL) { ++ ERROR("Failed to duplicate string array"); ++ goto err_out; ++ } ++ dest->env_len = src->env_len; ++ } ++ ++ return dest; ++ ++err_out: ++ free_defs_hook(dest); ++ return NULL; ++} ++ ++static int hooks_array_dup(const defs_hook **src, const size_t src_len, defs_hook ***dst, size_t *dst_len) ++{ ++ size_t i; ++ size_t tmp_len = 0; ++ defs_hook **tmp_dst = NULL; ++ ++ if (src_len > SIZE_MAX - 1) { ++ ERROR("Invalid hooks array length"); ++ return -1; ++ } ++ ++ tmp_dst = (defs_hook **)util_smart_calloc_s(sizeof(defs_hook *), src_len + 1); ++ if (tmp_dst == NULL) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ ++ for(i = 0; i < src_len; i++) { ++ tmp_dst[i] = hooks_elem_dup(src[i]); ++ if (tmp_dst[i] == NULL) { ++ ERROR("Failed to duplicate hooks element"); ++ goto err_out; ++ } ++ tmp_len++; ++ } ++ ++ *dst = tmp_dst; ++ *dst_len = tmp_len; ++ return 0; ++ ++err_out: ++ for(i = 0; i < tmp_len; i++) { ++ free_defs_hook(tmp_dst[i]); ++ } ++ free(tmp_dst); ++ ++ return -1; ++} + + /* hooks_dup */ + oci_runtime_spec_hooks *hooks_dup(const oci_runtime_spec_hooks *src) +@@ -1104,17 +1126,17 @@ oci_runtime_spec_hooks *hooks_dup(const oci_runtime_spec_hooks *src) + return NULL; + } + +- ret = hooks_prestart_dup(dest, src); ++ ret = hooks_array_dup((const defs_hook **)src->prestart, src->prestart_len, &dest->prestart, &dest->prestart_len); + if (ret != 0) { + goto out; + } + +- ret = hooks_poststart_dup(dest, src); ++ ret = hooks_array_dup((const defs_hook **)src->poststart, src->poststart_len, &dest->poststart, &dest->poststart_len); + if (ret != 0) { + goto out; + } + +- ret = hooks_poststop_dup(dest, src); ++ ret = hooks_array_dup((const defs_hook **)src->poststop, src->poststop_len, &dest->poststop, &dest->poststop_len); + + out: + if (ret != 0) { +@@ -1130,6 +1152,11 @@ int conf_get_isulad_hooks(oci_runtime_spec_hooks **phooks) + int ret = 0; + struct service_arguments *conf = NULL; + ++ if (phooks == NULL) { ++ ERROR("Empty arguments"); ++ return -1; ++ } ++ + if (isulad_server_conf_rdlock() != 0) { + return -1; + } +@@ -1184,7 +1211,7 @@ out: + } + + /* conf get start timeout */ +-unsigned int conf_get_start_timeout() ++unsigned int conf_get_start_timeout(void) + { + struct service_arguments *conf = NULL; + unsigned int ret = 0; +@@ -1204,7 +1231,7 @@ out: + return ret; + } + +-char *conf_get_default_runtime() ++char *conf_get_default_runtime(void) + { + struct service_arguments *conf = NULL; + char *result = NULL; +@@ -1226,7 +1253,7 @@ out: + return result; + } + +-char *conf_get_enable_plugins() ++char *conf_get_enable_plugins(void) + { + struct service_arguments *conf = NULL; + char *plugins = NULL; +@@ -1249,7 +1276,7 @@ out: + } + + #ifdef ENABLE_USERNS_REMAP +-char *conf_get_isulad_userns_remap() ++char *conf_get_isulad_userns_remap(void) + { + struct service_arguments *conf = NULL; + char *userns_remap = NULL; +@@ -1335,7 +1362,7 @@ int conf_get_cni_bin_dir(char ***dst) + } + + /* conf get websocket server listening port */ +-int32_t conf_get_websocket_server_listening_port() ++int32_t conf_get_websocket_server_listening_port(void) + { + int32_t port = 0; + struct service_arguments *conf = NULL; +@@ -1345,7 +1372,7 @@ int32_t conf_get_websocket_server_listening_port() + } + + conf = conf_get_server_conf(); +- if (conf == NULL) { ++ if (conf == NULL || conf->json_confs == NULL) { + goto out; + } + +@@ -1401,6 +1428,10 @@ int set_unix_socket_group(const char *socket, const char *group) + return -1; + } + ++ if (!util_has_prefix(socket, UNIX_SOCKET_PREFIX)) { ++ ERROR("Invalid unix socket: %s", socket); ++ return -1; ++ } + path = socket + strlen(UNIX_SOCKET_PREFIX); + + if (strlen(path) > PATH_MAX || realpath(path, rpath) == NULL) { +@@ -1430,15 +1461,6 @@ out: + return ret; + } + +-#define OVERRIDE_STRING_VALUE(dst, src) \ +- do { \ +- if ((src) != NULL && strlen((src)) != 0) { \ +- free((dst)); \ +- (dst) = (src); \ +- (src) = NULL; \ +- } \ +- } while (0) +- + static int string_array_append(char **suffix, size_t suffix_len, size_t *curr_len, char ***result) + { + if (suffix_len > 0) { +@@ -1463,6 +1485,11 @@ int parse_log_opts(struct service_arguments *args, const char *key, const char * + { + int ret = -1; + ++ if (args == NULL) { ++ ERROR("Empty arguments"); ++ return -1; ++ } ++ + if (key == NULL || value == NULL) { + return 0; + } +@@ -1682,6 +1709,11 @@ int merge_json_confs_into_global(struct service_arguments *args) + parser_error err = NULL; + int ret = 0; + ++ if (args == NULL) { ++ ERROR("Empty arguments"); ++ return -1; ++ } ++ + tmp_json_confs = isulad_daemon_configs_parse_file(ISULAD_DAEMON_JSON_CONF_FILE, NULL, &err); + if (tmp_json_confs == NULL) { + COMMAND_ERROR("Load isulad json config failed: %s", err != NULL ? err : ""); +@@ -1828,7 +1860,7 @@ static bool valid_isulad_daemon_constants(isulad_daemon_constants *config) + return true; + } + +-int init_isulad_daemon_constants() ++int init_isulad_daemon_constants(void) + { + parser_error err = NULL; + int ret = 0; +@@ -1855,7 +1887,7 @@ out: + return ret; + } + +-isulad_daemon_constants *get_isulad_daemon_constants() ++isulad_daemon_constants *get_isulad_daemon_constants(void) + { + return g_isulad_daemon_constants; + } +diff --git a/src/daemon/config/isulad_config.h b/src/daemon/config/isulad_config.h +index 92edd6e0..4fe1acdc 100644 +--- a/src/daemon/config/isulad_config.h ++++ b/src/daemon/config/isulad_config.h +@@ -42,43 +42,43 @@ char *conf_get_sandbox_rootpath(void); + char *conf_get_sandbox_statepath(void); + #endif + +-char *conf_get_isulad_pidfile(); +-char *conf_get_engine_rootpath(); ++char *conf_get_isulad_pidfile(void); ++char *conf_get_engine_rootpath(void); + char *conf_get_routine_rootdir(const char *runtime); + char *conf_get_routine_statedir(const char *runtime); +-char *conf_get_isulad_rootdir(); +-char *conf_get_isulad_statedir(); +-char *conf_get_isulad_mount_rootfs(); +-char *conf_get_isulad_loglevel(); +-char *conf_get_isulad_logdriver(); ++char *conf_get_isulad_rootdir(void); ++char *conf_get_isulad_statedir(void); ++char *conf_get_isulad_mount_rootfs(void); ++char *conf_get_isulad_loglevel(void); ++char *conf_get_isulad_logdriver(void); + int conf_get_daemon_log_config(char **loglevel, char **logdriver, char **engine_log_path); +-char *conf_get_isulad_log_gather_fifo_path(); ++char *conf_get_isulad_log_gather_fifo_path(void); + + int conf_get_cgroup_cpu_rt(int64_t *cpu_rt_period, int64_t *cpu_rt_runtime); + + int conf_get_container_log_opts(isulad_daemon_configs_container_log **opts); + +-char *conf_get_isulad_log_file(); +-char *conf_get_engine_log_file(); +-char *conf_get_enable_plugins(); ++char *conf_get_isulad_log_file(void); ++char *conf_get_engine_log_file(void); ++char *conf_get_enable_plugins(void); + #ifdef ENABLE_USERNS_REMAP +-char *conf_get_isulad_userns_remap(); ++char *conf_get_isulad_userns_remap(void); + #endif +-char *conf_get_cni_conf_dir(); ++char *conf_get_cni_conf_dir(void); + int conf_get_cni_bin_dir(char ***dst); +-int32_t conf_get_websocket_server_listening_port(); ++int32_t conf_get_websocket_server_listening_port(void); + + int save_args_to_conf(struct service_arguments *args); + + int set_unix_socket_group(const char *socket, const char *group); + +-int isulad_server_conf_wrlock(); ++int isulad_server_conf_wrlock(void); + +-int isulad_server_conf_rdlock(); ++int isulad_server_conf_rdlock(void); + +-int isulad_server_conf_unlock(); ++int isulad_server_conf_unlock(void); + +-struct service_arguments *conf_get_server_conf(); ++struct service_arguments *conf_get_server_conf(void); + + int get_system_cpu_usage(uint64_t *val); + +@@ -86,31 +86,31 @@ int conf_get_isulad_hooks(oci_runtime_spec_hooks **phooks); + + int conf_get_isulad_default_ulimit(host_config_ulimits_element ***ulimit); + +-unsigned int conf_get_start_timeout(); ++unsigned int conf_get_start_timeout(void); + +-char **conf_get_insecure_registry_list(); ++char **conf_get_insecure_registry_list(void); + +-char **conf_get_registry_list(); +-char *conf_get_isulad_native_umask(); ++char **conf_get_registry_list(void); ++char *conf_get_isulad_native_umask(void); + +-char *conf_get_isulad_cgroup_parent(); ++char *conf_get_isulad_cgroup_parent(void); + +-char *conf_get_default_runtime(); ++char *conf_get_default_runtime(void); + +-char *conf_get_graph_check_flag_file(); ++char *conf_get_graph_check_flag_file(void); + +-bool conf_get_image_layer_check_flag(); ++bool conf_get_image_layer_check_flag(void); + + int merge_json_confs_into_global(struct service_arguments *args); + +-bool conf_get_use_decrypted_key_flag(); +-bool conf_get_skip_insecure_verify_flag(); ++bool conf_get_use_decrypted_key_flag(void); ++bool conf_get_skip_insecure_verify_flag(void); + int parse_log_opts(struct service_arguments *args, const char *key, const char *value); + +-char *conf_get_isulad_monitor_fifo_path(); ++char *conf_get_isulad_monitor_fifo_path(void); + +-int init_isulad_daemon_constants(); +-isulad_daemon_constants *get_isulad_daemon_constants(); ++int init_isulad_daemon_constants(void); ++isulad_daemon_constants *get_isulad_daemon_constants(void); + + #ifdef __cplusplus + } +diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c +index ca4061b4..dbfec59e 100644 +--- a/src/daemon/executor/container_cb/execution.c ++++ b/src/daemon/executor/container_cb/execution.c +@@ -912,8 +912,8 @@ static int container_kill_cb(const container_kill_request *request, container_ki + } + + if (!util_valid_signal((int)signal)) { +- isulad_set_error_message("Not supported signal %d", signal); +- ERROR("Not supported signal %d", signal); ++ isulad_set_error_message("Not supported signal %u", signal); ++ ERROR("Not supported signal %u", signal); + cc = ISULAD_ERR_EXEC; + goto pack_response; + } +diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c +index c65aa281..9c097121 100644 +--- a/src/daemon/executor/container_cb/execution_create.c ++++ b/src/daemon/executor/container_cb/execution_create.c +@@ -706,7 +706,7 @@ out: + free(runtime_root); + free(runtime_stat); + if (ret != 0) { +- /* fail, do not use the input v2 spec, host spec and network settings, the memeory will be free by caller*/ ++ /* fail, do not use the input v2 spec, host spec and network settings, the memeory will be free by caller */ + if (cont != NULL) { + cont->common_config = NULL; + cont->hostconfig = NULL; +diff --git a/src/daemon/executor/container_cb/execution_network.c b/src/daemon/executor/container_cb/execution_network.c +index 1ff360f2..ce924332 100644 +--- a/src/daemon/executor/container_cb/execution_network.c ++++ b/src/daemon/executor/container_cb/execution_network.c +@@ -81,11 +81,20 @@ out: + + static int fopen_network(FILE **fp, char **file_path, const char *rootfs, const char *filename) + { ++ int64_t size = 0; ++ + if (util_realpath_in_scope(rootfs, filename, file_path) < 0) { + SYSERROR("Failed to get real path '%s' under rootfs '%s'", filename, rootfs); + isulad_set_error_message("Failed to get real path '%s' under rootfs '%s'", filename, rootfs); + return -1; + } ++ ++ size = util_file_size(*file_path); ++ if (size > REGULAR_FILE_SIZE) { ++ ERROR("Target file '%s', size exceed limit: %lld", *file_path, REGULAR_FILE_SIZE); ++ return -1; ++ } ++ + *fp = util_fopen(*file_path, "a+"); + if (*fp == NULL) { + SYSERROR("Failed to open %s", *file_path); +diff --git a/src/daemon/executor/container_cb/execution_stream.h b/src/daemon/executor/container_cb/execution_stream.h +index 227cc2c3..c0dba7d0 100644 +--- a/src/daemon/executor/container_cb/execution_stream.h ++++ b/src/daemon/executor/container_cb/execution_stream.h +@@ -1,6 +1,3 @@ +-#ifndef DAEMON_EXECUTOR_CONTAINER_CB_EXECUTION_STREAM_H +-#define DAEMON_EXECUTOR_CONTAINER_CB_EXECUTION_STREAM_H +- + /****************************************************************************** + * Copyright (c) Huawei Technologies Co., Ltd. 2017-2019. All rights reserved. + * iSulad licensed under the Mulan PSL v2. +@@ -16,6 +13,9 @@ + * Description: provide container list callback function definition + *********************************************************************************/ + ++#ifndef DAEMON_EXECUTOR_CONTAINER_CB_EXECUTION_STREAM_H ++#define DAEMON_EXECUTOR_CONTAINER_CB_EXECUTION_STREAM_H ++ + #include "callback.h" + + #ifdef __cplusplus +diff --git a/src/daemon/executor/container_cb/list.c b/src/daemon/executor/container_cb/list.c +index 539a1314..243eb4d2 100644 +--- a/src/daemon/executor/container_cb/list.c ++++ b/src/daemon/executor/container_cb/list.c +@@ -164,14 +164,14 @@ static int append_ids(const map_t *matches, char ***filtered_ids) + return 0; + } + +-static int insert_matched_id(char **ids, map_t *matches, void *value, size_t ids_len) ++static int insert_matched_id(char **ids, map_t *matches, bool *value, size_t ids_len) + { + size_t i; + + for (i = 0; i < ids_len; i++) { + container_t *cont = containers_store_get_by_prefix(ids[i]); + if (cont != NULL) { +- bool inserted = map_insert(matches, cont->common_config->id, value); ++ bool inserted = map_insert(matches, (void *)cont->common_config->id, (void *)value); + container_unref(cont); + if (!inserted) { + ERROR("Insert map failed: %s", ids[i]); +diff --git a/src/daemon/executor/image_cb/image_cb.c b/src/daemon/executor/image_cb/image_cb.c +index 124feb21..61fa29db 100644 +--- a/src/daemon/executor/image_cb/image_cb.c ++++ b/src/daemon/executor/image_cb/image_cb.c +@@ -597,7 +597,7 @@ static int trans_one_image(image_list_images_response *response, size_t image_in + goto out; + } + +- if (!unix_nanos_to_timestamp(created_nanos, ×tamp) != 0) { ++ if (!unix_nanos_to_timestamp(created_nanos, ×tamp)) { + ERROR("Failed to translate nanos to timestamp"); + ret = -1; + goto out; +@@ -673,19 +673,6 @@ out: + return ret; + } + +-static im_list_request *image_list_context_new(const image_list_images_request *request) +-{ +- im_list_request *ctx = NULL; +- +- ctx = util_common_calloc_s(sizeof(im_list_request)); +- if (ctx == NULL) { +- ERROR("Out of memory"); +- return NULL; +- } +- +- return ctx; +-} +- + #ifdef ENABLE_OCI_IMAGE + struct image_list_context { + struct filters_args *image_filters; +@@ -731,11 +718,12 @@ static im_list_request *fold_filter(const image_list_images_request *request) + { + im_list_request *ctx = NULL; + +- ctx = image_list_context_new(request); ++ ctx = (im_list_request *)util_common_calloc_s(sizeof(im_list_request)); + if (ctx == NULL) { + ERROR("Out of memory"); + goto error_out; + } ++ + #ifdef ENABLE_OCI_IMAGE + size_t i; + if (request->filters == NULL) { +-- +2.25.1 + diff --git a/0006-restore-execSync-return-value.patch b/0006-restore-execSync-return-value.patch deleted file mode 100644 index 1518586a93d1fd8aa9922ec95b0095ff91ad2cdb..0000000000000000000000000000000000000000 --- a/0006-restore-execSync-return-value.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f591197fc150e9a137d869b518cda4cecbf70363 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Thu, 18 May 2023 19:07:13 +0800 -Subject: [PATCH 6/9] restore execSync return value - -Signed-off-by: zhongtao ---- - src/daemon/entry/connect/grpc/runtime_runtime_service.cc | 7 ------- - 1 file changed, 7 deletions(-) - -diff --git a/src/daemon/entry/connect/grpc/runtime_runtime_service.cc b/src/daemon/entry/connect/grpc/runtime_runtime_service.cc -index 63a780cb..354b220e 100644 ---- a/src/daemon/entry/connect/grpc/runtime_runtime_service.cc -+++ b/src/daemon/entry/connect/grpc/runtime_runtime_service.cc -@@ -279,13 +279,6 @@ grpc::Status RuntimeRuntimeServiceImpl::ExecSync(grpc::ServerContext *context, - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); - } - -- if (reply->exit_code() != 0) { -- ERROR("Object: CRI, Type: Sync exec in container: %s with exit code: %d", request->container_id().c_str(), -- reply->exit_code()); -- error.SetError(reply->stderr()); -- return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -- } -- - WARN("Event: {Object: CRI, Type: sync execed Container: %s}", request->container_id().c_str()); - - return grpc::Status::OK; --- -2.40.1 - diff --git a/0007-2171-Fix-nullptr-in-src-daemon-entry.patch b/0007-2171-Fix-nullptr-in-src-daemon-entry.patch new file mode 100644 index 0000000000000000000000000000000000000000..9e285ec7ffe283d6e1abd2faa5c68e937c853f09 --- /dev/null +++ b/0007-2171-Fix-nullptr-in-src-daemon-entry.patch @@ -0,0 +1,1807 @@ +From 290758ba7ee8ce9b1696628ee207bceed847d2d3 Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Tue, 5 Sep 2023 11:10:11 +0000 +Subject: [PATCH 07/32] !2171 Fix nullptr in src/daemon/entry * !2160 Fix + nullptr in src/daemon/entry + +--- + .../cri/v1/cri_v1_runtime_image_service.cc | 29 ++++- + .../cri/v1/cri_v1_runtime_runtime_service.cc | 116 ++++++++++++++++- + .../cri/v1alpha/cri_runtime_image_service.cc | 29 ++++- + .../v1alpha/cri_runtime_runtime_service.cc | 118 +++++++++++++++++- + .../connect/grpc/grpc_containers_service.cc | 35 ++++++ + .../entry/connect/grpc/grpc_images_service.cc | 40 ++++++ + .../connect/grpc/grpc_server_tls_auth.cc | 4 + + .../connect/grpc/grpc_volumes_service.cc | 15 +++ + .../entry/connect/rest/rest_service_common.c | 12 +- + src/daemon/entry/cri/network_plugin.h | 10 +- + .../v1/v1_cri_container_manager_service.cc | 18 ++- + .../cri/v1/v1_cri_container_manager_service.h | 8 +- + .../cri/v1/v1_cri_image_manager_service.h | 4 +- + .../v1/v1_cri_image_manager_service_impl.cc | 12 +- + .../v1/v1_cri_image_manager_service_impl.h | 8 +- + .../v1/v1_cri_pod_sandbox_manager_service.cc | 6 +- + .../v1/v1_cri_pod_sandbox_manager_service.h | 2 +- + .../entry/cri/v1/v1_cri_runtime_service.h | 6 +- + .../cri/v1/v1_cri_runtime_service_impl.cc | 6 +- + .../cri/v1/v1_cri_runtime_service_impl.h | 6 +- + .../v1alpha/cri_container_manager_service.cc | 18 ++- + .../v1alpha/cri_container_manager_service.h | 8 +- + .../cri/v1alpha/cri_image_manager_service.h | 4 +- + .../v1alpha/cri_image_manager_service_impl.cc | 12 +- + .../v1alpha/cri_image_manager_service_impl.h | 8 +- + .../cri_pod_sandbox_manager_service.cc | 12 +- + .../v1alpha/cri_pod_sandbox_manager_service.h | 6 +- + .../entry/cri/v1alpha/cri_runtime_service.h | 8 +- + .../cri/v1alpha/cri_runtime_service_impl.cc | 8 +- + .../cri/v1alpha/cri_runtime_service_impl.h | 8 +- + 30 files changed, 471 insertions(+), 105 deletions(-) + +diff --git a/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_image_service.cc b/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_image_service.cc +index f3e745ff..ac62b6eb 100644 +--- a/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_image_service.cc ++++ b/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_image_service.cc +@@ -33,6 +33,11 @@ grpc::Status RuntimeV1ImageServiceImpl::PullImage(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Pulling image %s}", request->image().image().c_str()); + + std::string imageRef = rService->PullImage(request->image(), request->auth(), error); +@@ -54,9 +59,14 @@ grpc::Status RuntimeV1ImageServiceImpl::ListImages(grpc::ServerContext *context, + std::vector> images; + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing all images}"); + +- rService->ListImages(request->filter(), &images, error); ++ rService->ListImages(request->filter(), images, error); + if (!error.Empty()) { + ERROR("{Object: CRI, Type: Failed to list all images: %s}", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -82,6 +92,11 @@ grpc::Status RuntimeV1ImageServiceImpl::ImageStatus(grpc::ServerContext *context + std::unique_ptr image_info = nullptr; + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Statusing image %s}", request->image().image().c_str()); + + image_info = rService->ImageStatus(request->image(), error); +@@ -108,9 +123,14 @@ grpc::Status RuntimeV1ImageServiceImpl::ImageFsInfo(grpc::ServerContext *context + std::vector> usages; + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Statusing image fs info}"); + +- rService->ImageFsInfo(&usages, error); ++ rService->ImageFsInfo(usages, error); + if (!error.Empty()) { + ERROR("{Object: CRI, Type: Failed to status image fs info: %s}", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -135,6 +155,11 @@ grpc::Status RuntimeV1ImageServiceImpl::RemoveImage(grpc::ServerContext *context + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Removing image %s}", request->image().image().c_str()); + + rService->RemoveImage(request->image(), error); +diff --git a/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_runtime_service.cc b/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_runtime_service.cc +index d897119d..b8d5746c 100644 +--- a/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_runtime_service.cc ++++ b/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_runtime_service.cc +@@ -51,6 +51,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::Version(grpc::ServerContext *context, + runtime::v1::VersionResponse *reply) + { + Errors error; ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + m_rService->Version(request->version(), reply, error); + if (!error.Empty()) { + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -65,6 +70,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::CreateContainer(grpc::ServerContext *c + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Creating Container}"); + + std::string responseID = +@@ -86,6 +96,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::StartContainer(grpc::ServerContext *co + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Starting Container: %s}", request->container_id().c_str()); + + m_rService->StartContainer(request->container_id(), error); +@@ -105,6 +120,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::StopContainer(grpc::ServerContext *con + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Stopping Container: %s}", request->container_id().c_str()); + + m_rService->StopContainer(request->container_id(), (int64_t)request->timeout(), error); +@@ -124,6 +144,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::RemoveContainer(grpc::ServerContext *c + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Removing Container: %s}", request->container_id().c_str()); + + m_rService->RemoveContainer(request->container_id(), error); +@@ -143,10 +168,15 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ListContainers(grpc::ServerContext *co + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing all Container}"); + + std::vector> containers; +- m_rService->ListContainers(request->has_filter() ? &request->filter() : nullptr, &containers, error); ++ m_rService->ListContainers(request->has_filter() ? &request->filter() : nullptr, containers, error); + if (!error.Empty()) { + ERROR("Object: CRI, Type: Failed to list all containers %s", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -172,6 +202,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ContainerStats(grpc::ServerContext *co + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Getting Container Stats: %s}", request->container_id().c_str()); + + std::unique_ptr contStats = +@@ -193,10 +228,15 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ListContainerStats(grpc::ServerContext + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing all Container stats}"); + + std::vector> containers; +- m_rService->ListContainerStats(request->has_filter() ? &request->filter() : nullptr, &containers, error); ++ m_rService->ListContainerStats(request->has_filter() ? &request->filter() : nullptr, containers, error); + if (!error.Empty()) { + ERROR("Object: CRI, Type: Failed to list all containers stat %s", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -222,6 +262,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ContainerStatus(grpc::ServerContext *c + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Statusing Container: %s}", request->container_id().c_str()); + + std::unique_ptr contStatus = +@@ -243,6 +288,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ExecSync(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + WARN("Event: {Object: CRI, Type: sync execing Container: %s}", request->container_id().c_str()); + + m_rService->ExecSync(request->container_id(), request->cmd(), request->timeout(), reply, error); +@@ -262,6 +312,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::RunPodSandbox(grpc::ServerContext *con + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Running Pod}"); + + std::string responseID = m_rService->RunPodSandbox(request->config(), request->runtime_handler(), error); +@@ -282,6 +337,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::StopPodSandbox(grpc::ServerContext *co + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Stopping Pod: %s}", request->pod_sandbox_id().c_str()); + + m_rService->StopPodSandbox(request->pod_sandbox_id(), error); +@@ -302,6 +362,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::RemovePodSandbox(grpc::ServerContext * + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Removing Pod: %s}", request->pod_sandbox_id().c_str()); + + m_rService->RemovePodSandbox(request->pod_sandbox_id(), error); +@@ -322,6 +387,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::PodSandboxStatus(grpc::ServerContext * + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Status Pod: %s}", request->pod_sandbox_id().c_str()); + + std::unique_ptr podStatus; +@@ -344,6 +414,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ListPodSandbox(grpc::ServerContext *co + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing all Pods}"); + + std::vector> pods; +@@ -373,6 +448,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::PodSandboxStats(grpc::ServerContext *c + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Stats Pod: %s}", request->pod_sandbox_id().c_str()); + + std::unique_ptr podStats; +@@ -396,10 +476,15 @@ RuntimeV1RuntimeServiceImpl::ListPodSandboxStats(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing Pods Stats}"); + + std::vector> podsStats; +- m_rService->ListPodSandboxStats(request->has_filter() ? &request->filter() : nullptr, &podsStats, error); ++ m_rService->ListPodSandboxStats(request->has_filter() ? &request->filter() : nullptr, podsStats, error); + if (!error.Empty()) { + ERROR("Object: CRI, Type: Failed to list pods stats: %s", error.GetCMessage()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -425,6 +510,11 @@ RuntimeV1RuntimeServiceImpl::UpdateContainerResources(grpc::ServerContext *conte + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + WARN("Event: {Object: CRI, Type: Updating container resources: %s}", request->container_id().c_str()); + + m_rService->UpdateContainerResources(request->container_id(), request->linux(), error); +@@ -445,6 +535,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::Exec(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || response == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: execing Container: %s}", request->container_id().c_str()); + + m_rService->Exec(*request, response, error); +@@ -465,6 +560,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::Attach(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || response == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: attaching Container: %s}", request->container_id().c_str()); + + m_rService->Attach(*request, response, error); +@@ -486,6 +586,11 @@ RuntimeV1RuntimeServiceImpl::UpdateRuntimeConfig(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Updating Runtime Config}"); + + m_rService->UpdateRuntimeConfig(request->runtime_config(), error); +@@ -505,6 +610,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::Status(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Statusing daemon}"); + + std::unique_ptr status = m_rService->Status(error); +diff --git a/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_image_service.cc b/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_image_service.cc +index b724e729..1353933b 100644 +--- a/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_image_service.cc ++++ b/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_image_service.cc +@@ -33,6 +33,11 @@ grpc::Status RuntimeImageServiceImpl::PullImage(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Pulling image %s}", request->image().image().c_str()); + + std::string imageRef = rService->PullImage(request->image(), request->auth(), error); +@@ -54,9 +59,14 @@ grpc::Status RuntimeImageServiceImpl::ListImages(grpc::ServerContext *context, + std::vector> images; + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing all images}"); + +- rService->ListImages(request->filter(), &images, error); ++ rService->ListImages(request->filter(), images, error); + if (!error.Empty()) { + ERROR("{Object: CRI, Type: Failed to list all images: %s}", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -82,6 +92,11 @@ grpc::Status RuntimeImageServiceImpl::ImageStatus(grpc::ServerContext *context, + std::unique_ptr image_info = nullptr; + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Statusing image %s}", request->image().image().c_str()); + + image_info = rService->ImageStatus(request->image(), error); +@@ -108,9 +123,14 @@ grpc::Status RuntimeImageServiceImpl::ImageFsInfo(grpc::ServerContext *context, + std::vector> usages; + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Statusing image fs info}"); + +- rService->ImageFsInfo(&usages, error); ++ rService->ImageFsInfo(usages, error); + if (!error.Empty()) { + ERROR("{Object: CRI, Type: Failed to status image fs info: %s}", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -135,6 +155,11 @@ grpc::Status RuntimeImageServiceImpl::RemoveImage(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Removing image %s}", request->image().image().c_str()); + + rService->RemoveImage(request->image(), error); +diff --git a/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_runtime_service.cc b/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_runtime_service.cc +index 28775554..ec3f01cd 100644 +--- a/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_runtime_service.cc ++++ b/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_runtime_service.cc +@@ -49,6 +49,11 @@ grpc::Status RuntimeRuntimeServiceImpl::Version(grpc::ServerContext *context, + runtime::v1alpha2::VersionResponse *reply) + { + Errors error; ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + m_rService->Version(request->version(), reply, error); + if (!error.Empty()) { + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -63,6 +68,11 @@ grpc::Status RuntimeRuntimeServiceImpl::CreateContainer(grpc::ServerContext *con + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Creating Container}"); + + std::string responseID = +@@ -84,6 +94,11 @@ grpc::Status RuntimeRuntimeServiceImpl::StartContainer(grpc::ServerContext *cont + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Starting Container: %s}", request->container_id().c_str()); + + m_rService->StartContainer(request->container_id(), error); +@@ -103,6 +118,11 @@ grpc::Status RuntimeRuntimeServiceImpl::StopContainer(grpc::ServerContext *conte + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Stopping Container: %s}", request->container_id().c_str()); + + m_rService->StopContainer(request->container_id(), (int64_t)request->timeout(), error); +@@ -122,6 +142,11 @@ grpc::Status RuntimeRuntimeServiceImpl::RemoveContainer(grpc::ServerContext *con + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Removing Container: %s}", request->container_id().c_str()); + + m_rService->RemoveContainer(request->container_id(), error); +@@ -141,10 +166,15 @@ grpc::Status RuntimeRuntimeServiceImpl::ListContainers(grpc::ServerContext *cont + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing all Container}"); + + std::vector> containers; +- m_rService->ListContainers(request->has_filter() ? &request->filter() : nullptr, &containers, error); ++ m_rService->ListContainers(request->has_filter() ? &request->filter() : nullptr, containers, error); + if (!error.Empty()) { + ERROR("Object: CRI, Type: Failed to list all containers %s", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -170,6 +200,11 @@ grpc::Status RuntimeRuntimeServiceImpl::ContainerStats(grpc::ServerContext *cont + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Getting Container Stats: %s}", request->container_id().c_str()); + + std::unique_ptr contStats = +@@ -191,10 +226,15 @@ grpc::Status RuntimeRuntimeServiceImpl::ListContainerStats(grpc::ServerContext * + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing all Container stats}"); + + std::vector> containers; +- m_rService->ListContainerStats(request->has_filter() ? &request->filter() : nullptr, &containers, error); ++ m_rService->ListContainerStats(request->has_filter() ? &request->filter() : nullptr, containers, error); + if (!error.Empty()) { + ERROR("Object: CRI, Type: Failed to list all containers stat %s", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -220,6 +260,11 @@ grpc::Status RuntimeRuntimeServiceImpl::ContainerStatus(grpc::ServerContext *con + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Statusing Container: %s}", request->container_id().c_str()); + + std::unique_ptr contStatus = +@@ -241,6 +286,11 @@ grpc::Status RuntimeRuntimeServiceImpl::ExecSync(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + WARN("Event: {Object: CRI, Type: sync execing Container: %s}", request->container_id().c_str()); + + m_rService->ExecSync(request->container_id(), request->cmd(), request->timeout(), reply, error); +@@ -260,6 +310,11 @@ grpc::Status RuntimeRuntimeServiceImpl::RunPodSandbox(grpc::ServerContext *conte + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Running Pod}"); + + std::string responseID = m_rService->RunPodSandbox(request->config(), request->runtime_handler(), error); +@@ -280,6 +335,11 @@ grpc::Status RuntimeRuntimeServiceImpl::StopPodSandbox(grpc::ServerContext *cont + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Stopping Pod: %s}", request->pod_sandbox_id().c_str()); + + m_rService->StopPodSandbox(request->pod_sandbox_id(), error); +@@ -300,6 +360,11 @@ grpc::Status RuntimeRuntimeServiceImpl::RemovePodSandbox(grpc::ServerContext *co + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Removing Pod: %s}", request->pod_sandbox_id().c_str()); + + m_rService->RemovePodSandbox(request->pod_sandbox_id(), error); +@@ -320,6 +385,11 @@ grpc::Status RuntimeRuntimeServiceImpl::PodSandboxStatus(grpc::ServerContext *co + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Status Pod: %s}", request->pod_sandbox_id().c_str()); + + std::unique_ptr podStatus; +@@ -342,10 +412,15 @@ grpc::Status RuntimeRuntimeServiceImpl::ListPodSandbox(grpc::ServerContext *cont + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing all Pods}"); + + std::vector> pods; +- m_rService->ListPodSandbox(request->has_filter() ? &request->filter() : nullptr, &pods, error); ++ m_rService->ListPodSandbox(request->has_filter() ? &request->filter() : nullptr, pods, error); + if (!error.Empty()) { + ERROR("Object: CRI, Type: Failed to list all pods: %s", error.GetMessage().c_str()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -370,6 +445,11 @@ grpc::Status RuntimeRuntimeServiceImpl::PodSandboxStats(grpc::ServerContext *con + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Stats Pod: %s}", request->pod_sandbox_id().c_str()); + + std::unique_ptr podStats; +@@ -393,10 +473,15 @@ RuntimeRuntimeServiceImpl::ListPodSandboxStats(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Listing Pods Stats}"); + + std::vector> podsStats; +- m_rService->ListPodSandboxStats(request->has_filter() ? &request->filter() : nullptr, &podsStats, error); ++ m_rService->ListPodSandboxStats(request->has_filter() ? &request->filter() : nullptr, podsStats, error); + if (!error.Empty()) { + ERROR("Object: CRI, Type: Failed to list pods stats: %s", error.GetCMessage()); + return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); +@@ -422,6 +507,11 @@ RuntimeRuntimeServiceImpl::UpdateContainerResources(grpc::ServerContext *context + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + WARN("Event: {Object: CRI, Type: Updating container resources: %s}", request->container_id().c_str()); + + m_rService->UpdateContainerResources(request->container_id(), request->linux(), error); +@@ -442,6 +532,11 @@ grpc::Status RuntimeRuntimeServiceImpl::Exec(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || response == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: execing Container: %s}", request->container_id().c_str()); + + m_rService->Exec(*request, response, error); +@@ -462,6 +557,11 @@ grpc::Status RuntimeRuntimeServiceImpl::Attach(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || response == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: attaching Container: %s}", request->container_id().c_str()); + + m_rService->Attach(*request, response, error); +@@ -483,6 +583,11 @@ RuntimeRuntimeServiceImpl::UpdateRuntimeConfig(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + EVENT("Event: {Object: CRI, Type: Updating Runtime Config}"); + + m_rService->UpdateRuntimeConfig(request->runtime_config(), error); +@@ -502,6 +607,11 @@ grpc::Status RuntimeRuntimeServiceImpl::Status(grpc::ServerContext *context, + { + Errors error; + ++ if (request == nullptr || reply == nullptr) { ++ ERROR("Invalid input arguments"); ++ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); ++ } ++ + INFO("Event: {Object: CRI, Type: Statusing daemon}"); + + std::unique_ptr status = m_rService->Status(error); +diff --git a/src/daemon/entry/connect/grpc/grpc_containers_service.cc b/src/daemon/entry/connect/grpc/grpc_containers_service.cc +index 76f597b5..ab3f6ab7 100644 +--- a/src/daemon/entry/connect/grpc/grpc_containers_service.cc ++++ b/src/daemon/entry/connect/grpc/grpc_containers_service.cc +@@ -430,6 +430,11 @@ Status ContainerServiceImpl::RemoteExec(ServerContext *context, + container_exec_request *container_req = nullptr; + container_exec_response *container_res = nullptr; + ++ if (context == nullptr || stream == nullptr) { ++ ERROR("Invalid arguments"); ++ return Status(StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + prctl(PR_SET_NAME, "ContRExec"); + + auto status = GrpcServerTlsAuth::auth(context, "container_exec_create"); +@@ -599,6 +604,11 @@ Status ContainerServiceImpl::Attach(ServerContext *context, ServerReaderWriter &init_metadata = context->client_metadata(); + auto tls_mode_kv = init_metadata.find("tls_mode"); + if (tls_mode_kv == init_metadata.end()) { +diff --git a/src/daemon/entry/connect/grpc/grpc_volumes_service.cc b/src/daemon/entry/connect/grpc/grpc_volumes_service.cc +index 8b090486..004b57b2 100644 +--- a/src/daemon/entry/connect/grpc/grpc_volumes_service.cc ++++ b/src/daemon/entry/connect/grpc/grpc_volumes_service.cc +@@ -118,6 +118,11 @@ int VolumeServiceImpl::volume_prune_response_to_grpc(volume_prune_volume_respons + + Status VolumeServiceImpl::List(ServerContext *context, const ListVolumeRequest *request, ListVolumeResponse *reply) + { ++ if (context == nullptr || request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return Status(StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + auto status = GrpcServerTlsAuth::auth(context, "volume_list"); + if (!status.ok()) { + return status; +@@ -152,6 +157,11 @@ Status VolumeServiceImpl::List(ServerContext *context, const ListVolumeRequest * + Status VolumeServiceImpl::Remove(ServerContext *context, const RemoveVolumeRequest *request, + RemoveVolumeResponse *reply) + { ++ if (context == nullptr || request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return Status(StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + auto status = GrpcServerTlsAuth::auth(context, "volume_remove"); + if (!status.ok()) { + return status; +@@ -185,6 +195,11 @@ Status VolumeServiceImpl::Remove(ServerContext *context, const RemoveVolumeReque + + Status VolumeServiceImpl::Prune(ServerContext *context, const PruneVolumeRequest *request, PruneVolumeResponse *reply) + { ++ if (context == nullptr || request == nullptr || reply == nullptr) { ++ ERROR("Invalid arguments"); ++ return Status(StatusCode::INVALID_ARGUMENT, "Invalid arguments"); ++ } ++ + auto status = GrpcServerTlsAuth::auth(context, "volume_prune"); + if (!status.ok()) { + return status; +diff --git a/src/daemon/entry/connect/rest/rest_service_common.c b/src/daemon/entry/connect/rest/rest_service_common.c +index 54ac5c95..c4161d02 100644 +--- a/src/daemon/entry/connect/rest/rest_service_common.c ++++ b/src/daemon/entry/connect/rest/rest_service_common.c +@@ -26,7 +26,7 @@ + /* get body */ + int get_body(const evhtp_request_t *req, size_t *size_out, char **record_out) + { +- evbuf_t *buf = req->buffer_in; ++ evbuf_t *buf = NULL; + size_t read_count = 0; + size_t total = 0; + size_t content_len = 0; +@@ -34,6 +34,12 @@ int get_body(const evhtp_request_t *req, size_t *size_out, char **record_out) + char *body_p = NULL; + int ret = 0; + ++ if (req == NULL || size_out == NULL || record_out == NULL) { ++ ERROR("Invalid input arguments"); ++ return -1; ++ } ++ ++ buf = req->buffer_in; + content_len = (size_t)evbuffer_get_length(buf); + + if (content_len >= MAX_BODY_SIZE) { +@@ -81,6 +87,10 @@ empty: + /* evhtp send repsponse */ + void evhtp_send_response(evhtp_request_t *req, const char *responsedata, int rescode) + { ++ if (req == NULL || responsedata == NULL) { ++ ERROR("Invalid input arguments"); ++ return; ++ } + evhtp_headers_add_header(req->headers_out, evhtp_header_new("Content-Type", "application/json", 0, 0)); + evbuffer_add(req->buffer_out, responsedata, strlen(responsedata)); + evhtp_send_reply(req, rescode); +diff --git a/src/daemon/entry/cri/network_plugin.h b/src/daemon/entry/cri/network_plugin.h +index 09b0987a..3cb003ba 100644 +--- a/src/daemon/entry/cri/network_plugin.h ++++ b/src/daemon/entry/cri/network_plugin.h +@@ -30,11 +30,11 @@ const std::string POD_DISABLE_DEFAULT_NET_ANNOTATION_KEY = "network.alpha.kubern + class NetworkPluginConf { + public: + /* settings for net plugin */ +- NetworkPluginConf(const std::string &dockershimRootDirectory = "/var/lib/isulad/shim", +- const std::string &pluginConfDir = "/etc/cni/net.d/", +- const std::string &pluginBinDir = "/opt/cni/bin", const std::string &pluginName = "", +- const std::string &hairpinMode = "hairpin-veth", const std::string &nonMasqueradeCIDR = "", +- int32_t mtu = 1460) ++ explicit NetworkPluginConf(const std::string &dockershimRootDirectory = "/var/lib/isulad/shim", ++ const std::string &pluginConfDir = "/etc/cni/net.d/", ++ const std::string &pluginBinDir = "/opt/cni/bin", const std::string &pluginName = "", ++ const std::string &hairpinMode = "hairpin-veth", const std::string &nonMasqueradeCIDR = "", ++ int32_t mtu = 1460) + : m_dockershimRootDirectory(dockershimRootDirectory), + m_pluginConfDir(pluginConfDir), + m_pluginBinDir(pluginBinDir), +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index ba95f684..ecb7ffbd 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -653,7 +653,7 @@ void ContainerManagerService::ListContainersFromGRPC(const runtime::v1::Containe + } + + void ContainerManagerService::ListContainersToGRPC(container_list_response *response, +- std::vector> *containers, ++ std::vector> &containers, + Errors &error) + { + for (size_t i {}; i < response->containers_len; i++) { +@@ -700,12 +700,12 @@ void ContainerManagerService::ListContainersToGRPC(container_list_response *resp + CRIHelpersV1::ContainerStatusToRuntime(Container_Status(response->containers[i]->status)); + container->set_state(state); + +- containers->push_back(move(container)); ++ containers.push_back(move(container)); + } + } + + void ContainerManagerService::ListContainers(const runtime::v1::ContainerFilter *filter, +- std::vector> *containers, ++ std::vector> &containers, + Errors &error) + { + if (m_cb == nullptr || m_cb->container.list == nullptr) { +@@ -856,7 +856,7 @@ void ContainerManagerService::PackContainerStatsFilesystemUsage( + + void ContainerManagerService::ContainerStatsToGRPC( + container_stats_response *response, +- std::vector> *containerstats, Errors &error) ++ std::vector> &containerstats, Errors &error) + { + if (response == nullptr) { + return; +@@ -906,22 +906,18 @@ void ContainerManagerService::ContainerStatsToGRPC( + if (response->container_stats[i]->major_page_faults != 0u) { + container->mutable_memory()->mutable_major_page_faults()->set_value(response->container_stats[i]->major_page_faults); + } +- containerstats->push_back(std::move(container)); ++ containerstats.push_back(std::move(container)); + } + } + + void ContainerManagerService::ListContainerStats( + const runtime::v1::ContainerStatsFilter *filter, +- std::vector> *containerstats, Errors &error) ++ std::vector> &containerstats, Errors &error) + { + if (m_cb == nullptr || m_cb->container.stats == nullptr) { + error.SetError("Unimplemented callback"); + return; + } +- if (containerstats == nullptr) { +- error.SetError("Invalid arguments"); +- return; +- } + + container_stats_response *response { nullptr }; + container_stats_request *request = (container_stats_request *)util_common_calloc_s(sizeof(container_stats_request)); +@@ -998,7 +994,7 @@ auto ContainerManagerService::ContainerStats(const std::string &containerID, Err + goto cleanup; + } + +- ContainerStatsToGRPC(response, &contStatsVec, error); ++ ContainerStatsToGRPC(response, contStatsVec, error); + if (error.NotEmpty()) { + goto cleanup; + } +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h +index 83f4acbe..4f349829 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h +@@ -50,10 +50,10 @@ public: + void RemoveContainer(const std::string &containerID, Errors &error); + + void ListContainers(const runtime::v1::ContainerFilter *filter, +- std::vector> *containers, Errors &error); ++ std::vector> &containers, Errors &error); + + void ListContainerStats(const runtime::v1::ContainerStatsFilter *filter, +- std::vector> *containerstats, ++ std::vector> &containerstats, + Errors &error); + + auto ContainerStats(const std::string &containerID, Errors &error) +@@ -99,11 +99,11 @@ private: + void ListContainersFromGRPC(const runtime::v1::ContainerFilter *filter, container_list_request **request, + Errors &error); + void ListContainersToGRPC(container_list_response *response, +- std::vector> *pods, Errors &error); ++ std::vector> &pods, Errors &error); + auto PackContainerStatsFilter(const runtime::v1::ContainerStatsFilter *filter, + container_stats_request *request, Errors &error) -> int; + void ContainerStatsToGRPC(container_stats_response *response, +- std::vector> *containerstats, ++ std::vector> &containerstats, + Errors &error); + void PackContainerStatsAttributes(const char *id, std::unique_ptr &container, + Errors &error); +diff --git a/src/daemon/entry/cri/v1/v1_cri_image_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_image_manager_service.h +index 66af0abe..3a5fdf8c 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_image_manager_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_image_manager_service.h +@@ -28,7 +28,7 @@ public: + virtual ~ImageManagerService() = default; + + virtual void ListImages(const runtime::v1::ImageFilter &filter, +- std::vector> *images, Errors &error) = 0; ++ std::vector> &images, Errors &error) = 0; + + virtual auto ImageStatus(const runtime::v1::ImageSpec &image, + Errors &error) -> std::unique_ptr = 0; +@@ -38,7 +38,7 @@ public: + + virtual void RemoveImage(const runtime::v1::ImageSpec &image, Errors &error) = 0; + +- virtual void ImageFsInfo(std::vector> *usages, ++ virtual void ImageFsInfo(std::vector> &usages, + Errors &error) = 0; + }; + } // namespace CRIV1 +diff --git a/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.cc b/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.cc +index 763b6cd5..b74834fb 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.cc +@@ -133,7 +133,7 @@ auto ImageManagerServiceImpl::list_request_from_grpc(const runtime::v1::ImageFil + } + + void ImageManagerServiceImpl::list_images_to_grpc(im_list_response *response, +- std::vector> *images, ++ std::vector> &images, + Errors &error) + { + imagetool_images_list *list_images = response->images; +@@ -150,12 +150,12 @@ void ImageManagerServiceImpl::list_images_to_grpc(im_list_response *response, + + imagetool_image_summary *element = list_images->images[i]; + conv_image_to_grpc(element, image); +- images->push_back(move(image)); ++ images.push_back(move(image)); + } + } + + void ImageManagerServiceImpl::ListImages(const runtime::v1::ImageFilter &filter, +- std::vector> *images, Errors &error) ++ std::vector> &images, Errors &error) + { + im_list_request *request { nullptr }; + im_list_response *response { nullptr }; +@@ -331,7 +331,7 @@ cleanup: + } + + void ImageManagerServiceImpl::fs_info_to_grpc(im_fs_info_response *response, +- std::vector> *fs_infos, ++ std::vector> &fs_infos, + Errors & /*error*/) + { + imagetool_fs_info *got_fs_info = response->fs_info; +@@ -381,11 +381,11 @@ void ImageManagerServiceImpl::fs_info_to_grpc(im_fs_info_response *response, + fs_info->set_allocated_inodes_used(inodes_used); + } + +- fs_infos->push_back(std::move(fs_info)); ++ fs_infos.push_back(std::move(fs_info)); + } + } + +-void ImageManagerServiceImpl::ImageFsInfo(std::vector> *usages, ++void ImageManagerServiceImpl::ImageFsInfo(std::vector> &usages, + Errors &error) + { + im_fs_info_response *response { nullptr }; +diff --git a/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.h b/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.h +index 30e7c588..3f13a157 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.h ++++ b/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.h +@@ -30,7 +30,7 @@ public: + virtual ~ImageManagerServiceImpl() = default; + + void ListImages(const runtime::v1::ImageFilter &filter, +- std::vector> *images, Errors &error) override; ++ std::vector> &images, Errors &error) override; + + std::unique_ptr ImageStatus(const runtime::v1::ImageSpec &image, + Errors &error) override; +@@ -40,7 +40,7 @@ public: + + void RemoveImage(const runtime::v1::ImageSpec &image, Errors &error) override; + +- void ImageFsInfo(std::vector> *usages, Errors &error) override; ++ void ImageFsInfo(std::vector> &usages, Errors &error) override; + + private: + int pull_request_from_grpc(const runtime::v1::ImageSpec *image, const runtime::v1::AuthConfig *auth, +@@ -48,7 +48,7 @@ private: + + int list_request_from_grpc(const runtime::v1::ImageFilter *filter, im_list_request **request, Errors &error); + +- void list_images_to_grpc(im_list_response *response, std::vector> *images, ++ void list_images_to_grpc(im_list_response *response, std::vector> &images, + Errors &error); + + int status_request_from_grpc(const runtime::v1::ImageSpec *image, im_summary_request **request, +@@ -57,7 +57,7 @@ private: + std::unique_ptr status_image_to_grpc(im_summary_response *response, Errors &error); + + void fs_info_to_grpc(im_fs_info_response *response, +- std::vector> *fs_infos, Errors &error); ++ std::vector> &fs_infos, Errors &error); + + int remove_request_from_grpc(const runtime::v1::ImageSpec *image, im_rmi_request **request, Errors &error); + }; +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index 687f4e6d..d57338c8 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -915,7 +915,7 @@ void PodSandboxManagerService::PackagePodSandboxContainerStats( + runtime::v1::ContainerStatsFilter filter; + + filter.set_pod_sandbox_id(id); +- containerManager->ListContainerStats(&filter, &containerStats, error); ++ containerManager->ListContainerStats(&filter, containerStats, error); + if (error.NotEmpty()) { + error.Errorf("Failed to list container stats: %s", error.GetCMessage()); + return; +@@ -1140,7 +1140,7 @@ cleanup: + + void PodSandboxManagerService::ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, + const std::unique_ptr &containerManager, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error) + { + std::vector podSandboxIDs; +@@ -1165,7 +1165,7 @@ void PodSandboxManagerService::ListPodSandboxStats(const runtime::v1::PodSandbox + continue; + } + +- podsStats->push_back(move(podStats)); ++ podsStats.push_back(move(podStats)); + } + } + +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h +index ddab6f4e..99347fd8 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h +@@ -66,7 +66,7 @@ public: + + void ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, + const std::unique_ptr &containerManager, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error); + + void PortForward(const runtime::v1::PortForwardRequest &req, runtime::v1::PortForwardResponse *resp, +diff --git a/src/daemon/entry/cri/v1/v1_cri_runtime_service.h b/src/daemon/entry/cri/v1/v1_cri_runtime_service.h +index cd7c52db..87394173 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_runtime_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_runtime_service.h +@@ -43,10 +43,10 @@ public: + virtual void RemoveContainer(const std::string &containerID, Errors &error) = 0; + + virtual void ListContainers(const runtime::v1::ContainerFilter *filter, +- std::vector> *containers, Errors &error) = 0; ++ std::vector> &containers, Errors &error) = 0; + + virtual void ListContainerStats(const runtime::v1::ContainerStatsFilter *filter, +- std::vector> *containerstats, ++ std::vector> &containerstats, + Errors &error) = 0; + + virtual auto ContainerStats(const std::string &containerID, +@@ -80,7 +80,7 @@ public: + Errors &error) -> std::unique_ptr = 0; + + virtual void ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error) = 0; + + virtual void UpdateContainerResources(const std::string &containerID, +diff --git a/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.cc b/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.cc +index b6652f7d..67cda5ed 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.cc +@@ -57,7 +57,7 @@ void CRIRuntimeServiceImpl::RemoveContainer(const std::string &containerID, Erro + } + + void CRIRuntimeServiceImpl::ListContainers(const runtime::v1::ContainerFilter *filter, +- std::vector> *containers, ++ std::vector> &containers, + Errors &error) + { + m_containerManager->ListContainers(filter, containers, error); +@@ -65,7 +65,7 @@ void CRIRuntimeServiceImpl::ListContainers(const runtime::v1::ContainerFilter *f + + void CRIRuntimeServiceImpl::ListContainerStats( + const runtime::v1::ContainerStatsFilter *filter, +- std::vector> *containerstats, Errors &error) ++ std::vector> &containerstats, Errors &error) + { + m_containerManager->ListContainerStats(filter, containerstats, error); + } +@@ -145,7 +145,7 @@ auto CRIRuntimeServiceImpl::PodSandboxStats(const std::string &podSandboxID, Err + + void + CRIRuntimeServiceImpl::ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error) + { + m_podSandboxManager->ListPodSandboxStats(filter, m_containerManager, podsStats, error); +diff --git a/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.h b/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.h +index 49272281..23866648 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.h ++++ b/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.h +@@ -45,10 +45,10 @@ public: + void RemoveContainer(const std::string &containerID, Errors &error) override; + + void ListContainers(const runtime::v1::ContainerFilter *filter, +- std::vector> *containers, Errors &error) override; ++ std::vector> &containers, Errors &error) override; + + void ListContainerStats(const runtime::v1::ContainerStatsFilter *filter, +- std::vector> *containerstats, ++ std::vector> &containerstats, + Errors &error) override; + + auto ContainerStats(const std::string &containerID, Errors &error) +@@ -82,7 +82,7 @@ public: + Errors &error) -> std::unique_ptr override; + + void ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error) override; + + void UpdateContainerResources(const std::string &containerID, +diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc +index 569f339b..b4faab95 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc +@@ -671,7 +671,7 @@ void ContainerManagerService::ListContainersFromGRPC(const runtime::v1alpha2::Co + } + + void ContainerManagerService::ListContainersToGRPC(container_list_response *response, +- std::vector> *pods, ++ std::vector> &pods, + Errors &error) + { + for (size_t i {}; i < response->containers_len; i++) { +@@ -718,12 +718,12 @@ void ContainerManagerService::ListContainersToGRPC(container_list_response *resp + CRIHelpersV1Alpha::ContainerStatusToRuntime(Container_Status(response->containers[i]->status)); + container->set_state(state); + +- pods->push_back(move(container)); ++ pods.push_back(move(container)); + } + } + + void ContainerManagerService::ListContainers(const runtime::v1alpha2::ContainerFilter *filter, +- std::vector> *containers, ++ std::vector> &containers, + Errors &error) + { + if (m_cb == nullptr || m_cb->container.list == nullptr) { +@@ -874,7 +874,7 @@ void ContainerManagerService::PackContainerStatsFilesystemUsage( + + void ContainerManagerService::ContainerStatsToGRPC( + container_stats_response *response, +- std::vector> *containerstats, Errors &error) ++ std::vector> &containerstats, Errors &error) + { + if (response == nullptr) { + return; +@@ -924,22 +924,18 @@ void ContainerManagerService::ContainerStatsToGRPC( + if (response->container_stats[i]->major_page_faults != 0u) { + container->mutable_memory()->mutable_major_page_faults()->set_value(response->container_stats[i]->major_page_faults); + } +- containerstats->push_back(std::move(container)); ++ containerstats.push_back(std::move(container)); + } + } + + void ContainerManagerService::ListContainerStats( + const runtime::v1alpha2::ContainerStatsFilter *filter, +- std::vector> *containerstats, Errors &error) ++ std::vector> &containerstats, Errors &error) + { + if (m_cb == nullptr || m_cb->container.stats == nullptr) { + error.SetError("Unimplemented callback"); + return; + } +- if (containerstats == nullptr) { +- error.SetError("Invalid arguments"); +- return; +- } + + container_stats_response *response { nullptr }; + container_stats_request *request = (container_stats_request *)util_common_calloc_s(sizeof(container_stats_request)); +@@ -1016,7 +1012,7 @@ auto ContainerManagerService::ContainerStats(const std::string &containerID, Err + goto cleanup; + } + +- ContainerStatsToGRPC(response, &contStatsVec, error); ++ ContainerStatsToGRPC(response, contStatsVec, error); + if (error.NotEmpty()) { + goto cleanup; + } +diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.h b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.h +index ea22b1cd..f802d3bc 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.h ++++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.h +@@ -47,10 +47,10 @@ public: + void RemoveContainer(const std::string &containerID, Errors &error); + + void ListContainers(const runtime::v1alpha2::ContainerFilter *filter, +- std::vector> *containers, Errors &error); ++ std::vector> &containers, Errors &error); + + void ListContainerStats(const runtime::v1alpha2::ContainerStatsFilter *filter, +- std::vector> *containerstats, ++ std::vector> &containerstats, + Errors &error); + + auto ContainerStats(const std::string &containerID, Errors &error) +@@ -97,11 +97,11 @@ private: + void ListContainersFromGRPC(const runtime::v1alpha2::ContainerFilter *filter, container_list_request **request, + Errors &error); + void ListContainersToGRPC(container_list_response *response, +- std::vector> *pods, Errors &error); ++ std::vector> &pods, Errors &error); + auto PackContainerStatsFilter(const runtime::v1alpha2::ContainerStatsFilter *filter, + container_stats_request *request, Errors &error) -> int; + void ContainerStatsToGRPC(container_stats_response *response, +- std::vector> *containerstats, ++ std::vector> &containerstats, + Errors &error); + void PackContainerStatsAttributes(const char *id, std::unique_ptr &container, + Errors &error); +diff --git a/src/daemon/entry/cri/v1alpha/cri_image_manager_service.h b/src/daemon/entry/cri/v1alpha/cri_image_manager_service.h +index b6e506d5..9b2530ab 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_image_manager_service.h ++++ b/src/daemon/entry/cri/v1alpha/cri_image_manager_service.h +@@ -28,7 +28,7 @@ public: + virtual ~ImageManagerService() = default; + + virtual void ListImages(const runtime::v1alpha2::ImageFilter &filter, +- std::vector> *images, Errors &error) = 0; ++ std::vector> &images, Errors &error) = 0; + + virtual auto ImageStatus(const runtime::v1alpha2::ImageSpec &image, + Errors &error) -> std::unique_ptr = 0; +@@ -38,7 +38,7 @@ public: + + virtual void RemoveImage(const runtime::v1alpha2::ImageSpec &image, Errors &error) = 0; + +- virtual void ImageFsInfo(std::vector> *usages, ++ virtual void ImageFsInfo(std::vector> &usages, + Errors &error) = 0; + }; + } // namespace CRI +diff --git a/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.cc b/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.cc +index ad9e8ef1..3ff79ffc 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.cc +@@ -133,7 +133,7 @@ auto ImageManagerServiceImpl::list_request_from_grpc(const runtime::v1alpha2::Im + } + + void ImageManagerServiceImpl::list_images_to_grpc(im_list_response *response, +- std::vector> *images, ++ std::vector> &images, + Errors &error) + { + imagetool_images_list *list_images = response->images; +@@ -150,12 +150,12 @@ void ImageManagerServiceImpl::list_images_to_grpc(im_list_response *response, + + imagetool_image_summary *element = list_images->images[i]; + conv_image_to_grpc(element, image); +- images->push_back(move(image)); ++ images.push_back(move(image)); + } + } + + void ImageManagerServiceImpl::ListImages(const runtime::v1alpha2::ImageFilter &filter, +- std::vector> *images, Errors &error) ++ std::vector> &images, Errors &error) + { + im_list_request *request { nullptr }; + im_list_response *response { nullptr }; +@@ -331,7 +331,7 @@ cleanup: + } + + void ImageManagerServiceImpl::fs_info_to_grpc(im_fs_info_response *response, +- std::vector> *fs_infos, ++ std::vector> &fs_infos, + Errors & /*error*/) + { + imagetool_fs_info *got_fs_info = response->fs_info; +@@ -381,11 +381,11 @@ void ImageManagerServiceImpl::fs_info_to_grpc(im_fs_info_response *response, + fs_info->set_allocated_inodes_used(inodes_used); + } + +- fs_infos->push_back(std::move(fs_info)); ++ fs_infos.push_back(std::move(fs_info)); + } + } + +-void ImageManagerServiceImpl::ImageFsInfo(std::vector> *usages, ++void ImageManagerServiceImpl::ImageFsInfo(std::vector> &usages, + Errors &error) + { + im_fs_info_response *response { nullptr }; +diff --git a/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.h b/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.h +index b94f8908..edf482c9 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.h ++++ b/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.h +@@ -30,7 +30,7 @@ public: + virtual ~ImageManagerServiceImpl() = default; + + void ListImages(const runtime::v1alpha2::ImageFilter &filter, +- std::vector> *images, Errors &error) override; ++ std::vector> &images, Errors &error) override; + + std::unique_ptr ImageStatus(const runtime::v1alpha2::ImageSpec &image, + Errors &error) override; +@@ -40,7 +40,7 @@ public: + + void RemoveImage(const runtime::v1alpha2::ImageSpec &image, Errors &error) override; + +- void ImageFsInfo(std::vector> *usages, Errors &error) override; ++ void ImageFsInfo(std::vector> &usages, Errors &error) override; + + private: + int pull_request_from_grpc(const runtime::v1alpha2::ImageSpec *image, const runtime::v1alpha2::AuthConfig *auth, +@@ -48,7 +48,7 @@ private: + + int list_request_from_grpc(const runtime::v1alpha2::ImageFilter *filter, im_list_request **request, Errors &error); + +- void list_images_to_grpc(im_list_response *response, std::vector> *images, ++ void list_images_to_grpc(im_list_response *response, std::vector> &images, + Errors &error); + + int status_request_from_grpc(const runtime::v1alpha2::ImageSpec *image, im_summary_request **request, +@@ -57,7 +57,7 @@ private: + std::unique_ptr status_image_to_grpc(im_summary_response *response, Errors &error); + + void fs_info_to_grpc(im_fs_info_response *response, +- std::vector> *fs_infos, Errors &error); ++ std::vector> &fs_infos, Errors &error); + + int remove_request_from_grpc(const runtime::v1alpha2::ImageSpec *image, im_rmi_request **request, Errors &error); + }; +diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc +index d23e7754..c24c1f69 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc +@@ -1246,7 +1246,7 @@ void PodSandboxManagerService::ListPodSandboxFromGRPC(const runtime::v1alpha2::P + } + + void PodSandboxManagerService::ListPodSandboxToGRPC(container_list_response *response, +- std::vector> *pods, ++ std::vector> &pods, + bool filterOutReadySandboxes, Errors &error) + { + for (size_t i = 0; i < response->containers_len; i++) { +@@ -1272,12 +1272,12 @@ void PodSandboxManagerService::ListPodSandboxToGRPC(container_list_response *res + continue; + } + +- pods->push_back(std::move(pod)); ++ pods.push_back(std::move(pod)); + } + } + + void PodSandboxManagerService::ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, +- std::vector> *pods, ++ std::vector> &pods, + Errors &error) + { + int ret = 0; +@@ -1464,7 +1464,7 @@ void PodSandboxManagerService::PackagePodSandboxContainerStats( + runtime::v1alpha2::ContainerStatsFilter filter; + + filter.set_pod_sandbox_id(id); +- containerManager->ListContainerStats(&filter, &containerStats, error); ++ containerManager->ListContainerStats(&filter, containerStats, error); + if (error.NotEmpty()) { + error.Errorf("Failed to list container stats: %s", error.GetCMessage()); + return; +@@ -1689,7 +1689,7 @@ cleanup: + + void PodSandboxManagerService::ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, + const std::unique_ptr &containerManager, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error) + { + std::vector podSandboxIDs; +@@ -1714,7 +1714,7 @@ void PodSandboxManagerService::ListPodSandboxStats(const runtime::v1alpha2::PodS + continue; + } + +- podsStats->push_back(move(podStats)); ++ podsStats.push_back(move(podStats)); + } + } + +diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.h +index 2f4505df..1a075f86 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.h ++++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.h +@@ -57,7 +57,7 @@ public: + -> std::unique_ptr; + + void ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, +- std::vector> *pods, Errors &error); ++ std::vector> &pods, Errors &error); + + auto PodSandboxStats(const std::string &podSandboxID, + const std::unique_ptr &containerManager, +@@ -65,7 +65,7 @@ public: + + void ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, + const std::unique_ptr &containerManager, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error); + + void PortForward(const runtime::v1alpha2::PortForwardRequest &req, runtime::v1alpha2::PortForwardResponse *resp, +@@ -130,7 +130,7 @@ private: + void ListPodSandboxFromGRPC(const runtime::v1alpha2::PodSandboxFilter *filter, container_list_request **request, + bool *filterOutReadySandboxes, Errors &error); + void ListPodSandboxToGRPC(container_list_response *response, +- std::vector> *pods, ++ std::vector> &pods, + bool filterOutReadySandboxes, Errors &error); + void UpdatePodSandboxNetworkSettings(const std::string &id, const std::string &json, Errors &error); + auto GetNsenterPath(Errors &error) -> std::string; +diff --git a/src/daemon/entry/cri/v1alpha/cri_runtime_service.h b/src/daemon/entry/cri/v1alpha/cri_runtime_service.h +index d157237c..79f61a44 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_runtime_service.h ++++ b/src/daemon/entry/cri/v1alpha/cri_runtime_service.h +@@ -43,10 +43,10 @@ public: + virtual void RemoveContainer(const std::string &containerID, Errors &error) = 0; + + virtual void ListContainers(const runtime::v1alpha2::ContainerFilter *filter, +- std::vector> *containers, Errors &error) = 0; ++ std::vector> &containers, Errors &error) = 0; + + virtual void ListContainerStats(const runtime::v1alpha2::ContainerStatsFilter *filter, +- std::vector> *containerstats, ++ std::vector> &containerstats, + Errors &error) = 0; + + virtual auto ContainerStats(const std::string &containerID, +@@ -74,13 +74,13 @@ public: + Errors &error) -> std::unique_ptr = 0; + + virtual void ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, +- std::vector> *pods, Errors &error) = 0; ++ std::vector> &pods, Errors &error) = 0; + + virtual auto PodSandboxStats(const std::string &podSandboxID, + Errors &error) -> std::unique_ptr = 0; + + virtual void ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error) = 0; + + virtual void UpdateContainerResources(const std::string &containerID, +diff --git a/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.cc b/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.cc +index 778b0b69..d50e23e9 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.cc +@@ -57,7 +57,7 @@ void CRIRuntimeServiceImpl::RemoveContainer(const std::string &containerID, Erro + } + + void CRIRuntimeServiceImpl::ListContainers(const runtime::v1alpha2::ContainerFilter *filter, +- std::vector> *containers, ++ std::vector> &containers, + Errors &error) + { + m_containerManager->ListContainers(filter, containers, error); +@@ -65,7 +65,7 @@ void CRIRuntimeServiceImpl::ListContainers(const runtime::v1alpha2::ContainerFil + + void CRIRuntimeServiceImpl::ListContainerStats( + const runtime::v1alpha2::ContainerStatsFilter *filter, +- std::vector> *containerstats, Errors &error) ++ std::vector> &containerstats, Errors &error) + { + m_containerManager->ListContainerStats(filter, containerstats, error); + } +@@ -131,7 +131,7 @@ auto CRIRuntimeServiceImpl::PodSandboxStatus(const std::string &podSandboxID, Er + } + + void CRIRuntimeServiceImpl::ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, +- std::vector> *pods, ++ std::vector> &pods, + Errors &error) + { + m_podSandboxManager->ListPodSandbox(filter, pods, error); +@@ -145,7 +145,7 @@ auto CRIRuntimeServiceImpl::PodSandboxStats(const std::string &podSandboxID, Err + + void + CRIRuntimeServiceImpl::ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error) + { + m_podSandboxManager->ListPodSandboxStats(filter, m_containerManager, podsStats, error); +diff --git a/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.h b/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.h +index f2323524..23c8a400 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.h ++++ b/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.h +@@ -45,10 +45,10 @@ public: + void RemoveContainer(const std::string &containerID, Errors &error) override; + + void ListContainers(const runtime::v1alpha2::ContainerFilter *filter, +- std::vector> *containers, Errors &error) override; ++ std::vector> &containers, Errors &error) override; + + void ListContainerStats(const runtime::v1alpha2::ContainerStatsFilter *filter, +- std::vector> *containerstats, ++ std::vector> &containerstats, + Errors &error) override; + + auto ContainerStats(const std::string &containerID, Errors &error) +@@ -76,13 +76,13 @@ public: + -> std::unique_ptr override; + + void ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, +- std::vector> *pods, Errors &error) override; ++ std::vector> &pods, Errors &error) override; + + auto PodSandboxStats(const std::string &podSandboxID, + Errors &error) -> std::unique_ptr override; + + void ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, +- std::vector> *podsStats, ++ std::vector> &podsStats, + Errors &error) override; + + void UpdateContainerResources(const std::string &containerID, +-- +2.25.1 + diff --git a/0007-reinforce-cri_stream.sh-and-health_check.sh.patch b/0007-reinforce-cri_stream.sh-and-health_check.sh.patch deleted file mode 100644 index 44e432d3003cd005b16d140070e864e63f524f8c..0000000000000000000000000000000000000000 --- a/0007-reinforce-cri_stream.sh-and-health_check.sh.patch +++ /dev/null @@ -1,131 +0,0 @@ -From e04d2f1d8382e7b3e81ab4725a21562147ad1727 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Mon, 22 May 2023 12:50:32 +0800 -Subject: [PATCH 7/9] reinforce cri_stream.sh and health_check.sh - -Signed-off-by: zhongtao ---- - CI/test_cases/container_cases/cri_stream.sh | 30 ++++++++++++---- - CI/test_cases/container_cases/health_check.sh | 34 ++++++++++++++----- - 2 files changed, 50 insertions(+), 14 deletions(-) - -diff --git a/CI/test_cases/container_cases/cri_stream.sh b/CI/test_cases/container_cases/cri_stream.sh -index 8b5440d3..bfe90208 100755 ---- a/CI/test_cases/container_cases/cri_stream.sh -+++ b/CI/test_cases/container_cases/cri_stream.sh -@@ -58,6 +58,9 @@ function set_up() - function test_cri_exec_fun() - { - local ret=0 -+ local retry_limit=20 -+ local retry_interval=1 -+ local success=1 - local test="test_cri_exec_fun => (${FUNCNAME[@]})" - msg_info "${test} starting..." - declare -a fun_pids -@@ -74,9 +77,15 @@ function test_cri_exec_fun() - done - wait ${abn_pids[*]// /|} - -- sleep 2 -- ps -T -p $(cat /var/run/isulad.pid) | grep IoCopy -- [[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - residual IO copy thread in CRI exec operation" && ((ret++)) -+ for i in $(seq 1 "$retry_limit"); do -+ ps -T -p $(cat /var/run/isulad.pid) | grep IoCopy -+ if [ $? -ne 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - residual IO copy thread in CRI exec operation" && ((ret++)) - - msg_info "${test} finished with return ${ret}..." - return ${ret} -@@ -85,6 +94,9 @@ function test_cri_exec_fun() - function test_cri_exec_abn - { - local ret=0 -+ local retry_limit=20 -+ local retry_interval=1 -+ local success=1 - local test="test_cri_exec_abn => (${FUNCNAME[@]})" - msg_info "${test} starting..." - -@@ -92,10 +104,16 @@ function test_cri_exec_abn - pid=$! - sleep 3 - kill -9 $pid -- sleep 2 - -- ps -T -p $(cat /var/run/isulad.pid) | grep IoCopy -- [[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - residual IO copy thread in CRI exec operation" && ((ret++)) -+ for i in $(seq 1 "$retry_limit"); do -+ ps -T -p $(cat /var/run/isulad.pid) | grep IoCopy -+ if [ $? -ne 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - residual IO copy thread in CRI exec operation" && ((ret++)) - - msg_info "${test} finished with return ${ret}..." - return ${ret} -diff --git a/CI/test_cases/container_cases/health_check.sh b/CI/test_cases/container_cases/health_check.sh -index 1542bd09..28af6149 100755 ---- a/CI/test_cases/container_cases/health_check.sh -+++ b/CI/test_cases/container_cases/health_check.sh -@@ -123,6 +123,9 @@ function test_health_check_timeout() - { - local ret=0 - local image="busybox" -+ local retry_limit=10 -+ local retry_interval=1 -+ local success=1 - local test="list && inspect image info test => (${FUNCNAME[@]})" - - msg_info "${test} starting..." -@@ -139,16 +142,31 @@ function test_health_check_timeout() - [[ $(isula inspect -f '{{.State.Status}}' ${container_name}) == "running" ]] - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container status: not running" && ((ret++)) - -- sleep 2 # Health check has been performed yet -- -+ # Health check has been performed yet -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "starting" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done - # Initial status when the container is still starting -- [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "starting" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not starting" && ((ret++)) -- -- sleep 10 # finish first health check -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not starting" && ((ret++)) -+ -+ sleep 7 # finish first health check -+ -+ success=1 -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "unhealthy" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done - # The container process exits and the health check status becomes unhealthy -- [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "unhealthy" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not unhealthy" && ((ret++)) -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not unhealthy" && ((ret++)) - - [[ $(isula inspect -f '{{.State.ExitCode}}' ${container_name}) == "137" ]] - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container exit code: not 137" && ((ret++)) --- -2.40.1 - diff --git a/0008-Add-vsock-support-for-exec.patch b/0008-Add-vsock-support-for-exec.patch new file mode 100644 index 0000000000000000000000000000000000000000..029a6c6403cd99815887334bd84a092822df1b8a --- /dev/null +++ b/0008-Add-vsock-support-for-exec.patch @@ -0,0 +1,1123 @@ +From ee941bd9f7520eb1160d6fb8a80cca2552f5d990 Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Thu, 7 Sep 2023 20:11:55 +0800 +Subject: [PATCH 08/32] Add vsock support for exec + +Signed-off-by: xuxuepeng +--- + src/daemon/modules/service/CMakeLists.txt | 4 + + .../modules/service/service_container.c | 90 +- + .../modules/service/vsock_io_handler.cc | 812 ++++++++++++++++++ + src/daemon/modules/service/vsock_io_handler.h | 46 + + src/daemon/sandbox/sandbox.cc | 21 + + src/daemon/sandbox/sandbox.h | 6 + + 6 files changed, 966 insertions(+), 13 deletions(-) + create mode 100644 src/daemon/modules/service/vsock_io_handler.cc + create mode 100644 src/daemon/modules/service/vsock_io_handler.h + +diff --git a/src/daemon/modules/service/CMakeLists.txt b/src/daemon/modules/service/CMakeLists.txt +index b0e9f04a..a7713c15 100644 +--- a/src/daemon/modules/service/CMakeLists.txt ++++ b/src/daemon/modules/service/CMakeLists.txt +@@ -5,6 +5,10 @@ if(NOT ENABLE_NATIVE_NETWORK) + list(REMOVE_ITEM local_service_srcs "${CMAKE_CURRENT_SOURCE_DIR}/service_network.c") + endif() + ++if(NOT ENABLE_CRI_API_V1) ++ list(REMOVE_ITEM local_service_srcs "${CMAKE_CURRENT_SOURCE_DIR}/vsock_io_handler.cc") ++endif() ++ + set(SERVICE_SRCS + ${local_service_srcs} + PARENT_SCOPE +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index a9da669a..c4ee0223 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -71,6 +71,7 @@ + #include "id_name_manager.h" + #ifdef ENABLE_CRI_API_V1 + #include "sandbox_ops.h" ++#include "vsock_io_handler.h" + #endif + + #define KATA_RUNTIME "kata-runtime" +@@ -2054,9 +2055,41 @@ out: + return ret; + } + +-static int exec_prepare_console(const container_t *cont, const container_exec_request *request, int stdinfd, +- struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, +- char **fifos, char **fifopath, int *sync_fd, pthread_t *thread_id) ++#ifdef ENABLE_CRI_API_V1 ++static int exec_prepare_vsock(const container_t *cont, const container_exec_request *request, int stdinfd, ++ struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, ++ char **vsockpaths, int *sync_fd, pthread_t *thread_id) ++{ ++ uint32_t cid; ++ const char *task_address = cont->common_config->sandbox_info->task_address; ++ if (!parse_vsock_path(task_address, &cid, NULL)) { ++ ERROR("Failed to parse vsock path %s", task_address); ++ return -1; ++ } ++ ++ if (!request->attach_stdin && !request->attach_stdout && !request->attach_stderr) { ++ return 0; ++ } ++ ++ if (create_daemon_vsockpaths(cont->common_config->sandbox_info->id, cid, request->attach_stdin, request->attach_stdout, ++ request->attach_stderr, vsockpaths) != 0) { ++ return -1; ++ } ++ ++ *sync_fd = eventfd(0, EFD_CLOEXEC); ++ if (*sync_fd < 0) { ++ SYSERROR("Failed to create eventfd"); ++ return -1; ++ } ++ ++ return start_vsock_io_copy(request->suffix, *sync_fd, false, request->stdin, request->stdout, request->stderr, stdinfd, ++ stdout_handler, stderr_handler, (const char **)vsockpaths, thread_id); ++} ++#endif ++ ++static int exec_prepare_fifo(const container_t *cont, const container_exec_request *request, int stdinfd, ++ struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, ++ char **fifos, char **fifopath, int *sync_fd, pthread_t *thread_id) + { + int ret = 0; + const char *id = cont->common_config->id; +@@ -2070,7 +2103,7 @@ static int exec_prepare_console(const container_t *cont, const container_exec_re + + *sync_fd = eventfd(0, EFD_CLOEXEC); + if (*sync_fd < 0) { +- ERROR("Failed to create eventfd: %s", strerror(errno)); ++ SYSERROR("Failed to create eventfd"); + ret = -1; + goto out; + } +@@ -2084,6 +2117,26 @@ out: + return ret; + } + ++#ifdef ENABLE_CRI_API_V1 ++static bool is_vsock_supported(const container_t *cont) ++{ ++ return cont->common_config->sandbox_info != NULL && ++ is_vsock_path(cont->common_config->sandbox_info->task_address); ++} ++#endif ++ ++static int exec_prepare_console(const container_t *cont, const container_exec_request *request, int stdinfd, ++ struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, ++ char **io_addresses, char **iopath, int *sync_fd, pthread_t *thread_id) ++{ ++#ifdef ENABLE_CRI_API_V1 ++ if (is_vsock_supported(cont)) { ++ return exec_prepare_vsock(cont, request, stdinfd, stdout_handler, stderr_handler, io_addresses, sync_fd, thread_id); ++ } ++#endif ++ return exec_prepare_fifo(cont, request, stdinfd, stdout_handler, stderr_handler, io_addresses, iopath, sync_fd, thread_id); ++} ++ + static void exec_container_end(container_exec_response *response, const container_t *cont, + const char *exec_id, uint32_t cc, + int exit_code, int sync_fd, pthread_t thread_id) +@@ -2117,6 +2170,17 @@ static void exec_container_end(container_exec_response *response, const containe + } + } + ++static void cleanup_exec_console_io(const container_t *cont, const char *fifopath, const char *io_addresses[]) ++{ ++#ifdef ENABLE_CRI_API_V1 ++ if (is_vsock_supported(cont)) { ++ delete_daemon_vsockpaths(cont->common_config->sandbox_info->id, io_addresses); ++ return; ++ } ++#endif ++ delete_daemon_fifos(fifopath, (const char **)io_addresses); ++} ++ + static int get_exec_user_info(const container_t *cont, const char *username, defs_process_user **puser) + { + int ret = 0; +@@ -2178,8 +2242,8 @@ int exec_container(const container_t *cont, const container_exec_request *reques + int sync_fd = -1; + uint32_t cc = ISULAD_SUCCESS; + char *id = NULL; +- char *fifos[3] = { NULL, NULL, NULL }; +- char *fifopath = NULL; ++ char *io_addresses[3] = { NULL, NULL, NULL }; ++ char *iopath = NULL; + pthread_t thread_id = 0; + defs_process_user *puser = NULL; + char exec_command[EVENT_ARGS_MAX] = { 0x00 }; +@@ -2237,13 +2301,13 @@ int exec_container(const container_t *cont, const container_exec_request *reques + } + } + +- if (exec_prepare_console(cont, request, stdinfd, stdout_handler, stderr_handler, fifos, &fifopath, &sync_fd, ++ if (exec_prepare_console(cont, request, stdinfd, stdout_handler, stderr_handler, io_addresses, &iopath, &sync_fd, + &thread_id)) { + cc = ISULAD_ERR_EXEC; + goto pack_response; + } + (void)isulad_monitor_send_container_event(id, EXEC_START, -1, 0, exec_command, NULL); +- if (do_exec_container(cont, cont->runtime, (char * const *)fifos, puser, request, &exit_code)) { ++ if (do_exec_container(cont, cont->runtime, (char * const *)io_addresses, puser, request, &exit_code)) { + cc = ISULAD_ERR_EXEC; + goto pack_response; + } +@@ -2253,11 +2317,11 @@ int exec_container(const container_t *cont, const container_exec_request *reques + + pack_response: + exec_container_end(response, cont, request->suffix, cc, exit_code, sync_fd, thread_id); +- delete_daemon_fifos(fifopath, (const char **)fifos); +- free(fifos[0]); +- free(fifos[1]); +- free(fifos[2]); +- free(fifopath); ++ cleanup_exec_console_io(cont, iopath, (const char **)io_addresses); ++ free(io_addresses[0]); ++ free(io_addresses[1]); ++ free(io_addresses[2]); ++ free(iopath); + free_defs_process_user(puser); + + return (cc == ISULAD_SUCCESS) ? 0 : -1; +diff --git a/src/daemon/modules/service/vsock_io_handler.cc b/src/daemon/modules/service/vsock_io_handler.cc +new file mode 100644 +index 00000000..efc74bc8 +--- /dev/null ++++ b/src/daemon/modules/service/vsock_io_handler.cc +@@ -0,0 +1,812 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: xuxuepeng ++ * Create: 2023-09-04 ++ * Description: provide vsock io functions ++ ********************************************************************************/ ++#include "vsock_io_handler.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "console.h" ++#include "utils.h" ++#include "sandbox_manager.h" ++#include "sandbox.h" ++ ++const std::string VSOCK_PREFIX = "vsock://"; ++const int VSOCK_RETRY_INTERVAL = 1000; // 1000ms ++const int VSOCK_RETRY_TIMEOUT = 10000; // 10000ms ++const int MILLI_TO_MICRO = 1000; ++ ++bool is_vsock_path(const char *path) ++{ ++ if (path == NULL) { ++ return false; ++ } ++ std::string path_str = path; ++ if (path_str.find(VSOCK_PREFIX) == 0) { ++ return true; ++ } ++ ++ return false; ++} ++ ++bool parse_vsock_path(const char *vsock_path, uint32_t *cid, uint32_t *port) ++{ ++ uint32_t vsock_cid, vsock_port; ++ ++ if (!is_vsock_path(vsock_path)) { ++ ERROR("Invalid vsock path, %s", vsock_path); ++ return false; ++ } ++ std::string vsock_path_str = vsock_path; ++ std::string vsock_address = vsock_path_str.substr(VSOCK_PREFIX.size()); ++ if (vsock_address.empty()) { ++ ERROR("Invalid vsock address, %s", vsock_path); ++ return false; ++ } ++ ++ // split vsock_address by ':' ++ size_t col_pos = vsock_address.find(':'); ++ if (col_pos == std::string::npos) { ++ ERROR("Failed to find ':' in vsock address, %s", vsock_path); ++ return false; ++ } ++ ++ std::string cid_str = vsock_address.substr(0, col_pos); ++ if (util_safe_uint(cid_str.c_str(), &vsock_cid) != 0) { ++ ERROR("Failed to parse cid, %s", cid_str.c_str()); ++ return false; ++ } ++ ++ std::string port_str = vsock_address.substr(col_pos + 1); ++ if (util_safe_uint(port_str.c_str(), &vsock_port) != 0) { ++ ERROR("Failed to parse port, %s", port_str.c_str()); ++ return false; ++ } ++ ++ if (cid != NULL) { ++ *cid = vsock_cid; ++ } ++ ++ if (port != NULL) { ++ *port = vsock_port; ++ } ++ ++ return true; ++} ++ ++static int find_available_vsock_port_for_sandbox(const char *sandbox_id, uint32_t *port) ++{ ++ if (sandbox_id == NULL || port == NULL) { ++ ERROR("Invalid NULL sandbox id or port"); ++ return -1; ++ } ++ std::string sandbox_id_str = sandbox_id; ++ std::shared_ptr sandbox = sandbox::SandboxManager::GetInstance()->GetSandbox(sandbox_id_str); ++ if (sandbox == nullptr) { ++ ERROR("Failed to find sandbox %s", sandbox_id); ++ return -1; ++ } ++ ++ if (sandbox->FindAvailableVsockPort(*port)) { ++ return 0; ++ } ++ ++ ERROR("Failed to find available vsock port for sandbox %s", sandbox_id); ++ ++ return -1; ++} ++ ++static void release_vsock_port_for_sandbox(const char *sandbox_id, uint32_t port) ++{ ++ if (sandbox_id == NULL) { ++ return; ++ } ++ std::string sandbox_id_str = sandbox_id; ++ std::shared_ptr sandbox = sandbox::SandboxManager::GetInstance()->GetSandbox(sandbox_id_str); ++ if (sandbox == nullptr) { ++ return; ++ } ++ ++ sandbox->ReleaseVsockPort(port); ++} ++ ++static int set_flags(int fd, int flags) ++{ ++ int curflag; ++ int ret; ++ ++ curflag = fcntl(fd, F_GETFL, 0); ++ if (curflag < 0) { ++ SYSERROR("Failed to get flags for vsock fd"); ++ return -1; ++ } ++ ++ ret = fcntl(fd, F_SETFL, curflag | flags); ++ if (ret != 0) { ++ SYSERROR("Failed to set flags for vsock fd"); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++static int vsock_connect(uint32_t cid, uint32_t port) ++{ ++ int fd = -1; ++ struct sockaddr_vm sa = { 0 }; ++ ++ fd = socket(AF_VSOCK, SOCK_STREAM, 0); ++ if (fd < 0) { ++ SYSERROR("Failed to create vsock socket"); ++ return -1; ++ } ++ ++ sa.svm_family = AF_VSOCK; ++ sa.svm_cid = cid; ++ sa.svm_port = port; ++ ++ if (connect(fd, (struct sockaddr *)&sa, sizeof(sa)) !=0) { ++ SYSERROR("Failed to connect vsock socket"); ++ close(fd); ++ return -1; ++ } ++ return fd; ++} ++ ++/* ++ * We setup connection as a client, so we need to wait the server to be ready. ++ * In the following function, we need to keep retrying until connection is established. ++ * The retrying time is 10s. ++ */ ++int vsock_open(const char *vsock_path, int *fdout, int flags) ++{ ++ int ret; ++ int fd = -1; ++ int retry = 0; ++ uint32_t cid; ++ uint32_t port; ++ ++ if (vsock_path == NULL || fdout == NULL) { ++ ERROR("Invalid NULL vsock path or fdout"); ++ return -1; ++ } ++ ++ if (!parse_vsock_path(vsock_path, &cid, &port)) { ++ ERROR("Failed to parse vsock path, %s", vsock_path); ++ return -1; ++ } ++ ++ DEBUG("Open vsock, cid %u, port %u", cid, port); ++ ++ while (retry < VSOCK_RETRY_TIMEOUT) { ++ fd = vsock_connect(cid, port); ++ if (fd >= 0) { ++ break; ++ } ++ DEBUG("Failed to connect vsock socket"); ++ retry += VSOCK_RETRY_INTERVAL; ++ usleep(VSOCK_RETRY_INTERVAL * MILLI_TO_MICRO); ++ } ++ ++ if (retry >= VSOCK_RETRY_TIMEOUT) { ++ ERROR("Failed to connect vsock socket, timeout"); ++ return -1; ++ } ++ ++ ret = set_flags(fd, flags); ++ if (ret < 0) { ++ ERROR("Failed to set flags for vsock fd"); ++ close(fd); ++ return -1; ++ } ++ ++ *fdout = fd; ++ return 0; ++} ++ ++static char *create_single_vsockpath(const char *sandbox_id, uint32_t cid) ++{ ++ uint32_t vsock_port; ++ ++ if (find_available_vsock_port_for_sandbox(sandbox_id, &vsock_port) != 0) { ++ ERROR("Failed to find available vsock port for sandbox %s", sandbox_id); ++ return NULL; ++ } ++ std::string vsock_address = VSOCK_PREFIX + std::to_string(cid) + ":" + std::to_string(vsock_port); ++ ++ DEBUG("Create vsock path %s for sandbox %s", vsock_address.c_str(), sandbox_id); ++ ++ return util_strdup_s(vsock_address.c_str()); ++} ++ ++int create_daemon_vsockpaths(const char *sandbox_id, uint32_t cid, bool attach_stdin, bool attach_stdout, ++ bool attach_stderr, char *vsockpaths[]) ++{ ++ int ret = -1; ++ ++ if (sandbox_id == NULL || vsockpaths == NULL) { ++ return -1; ++ } ++ if (attach_stdin) { ++ vsockpaths[0] = create_single_vsockpath(sandbox_id, cid); ++ if (vsockpaths[0] == NULL) { ++ goto errout; ++ } ++ } ++ ++ if (attach_stdout) { ++ vsockpaths[1] = create_single_vsockpath(sandbox_id, cid); ++ if (vsockpaths[1] == NULL) { ++ goto errout; ++ } ++ } ++ ++ if (attach_stderr) { ++ vsockpaths[2] = create_single_vsockpath(sandbox_id, cid); ++ if (vsockpaths[2] == NULL) { ++ goto errout; ++ } ++ } ++ ++ ret = 0; ++errout: ++ if (ret != 0) { ++ delete_daemon_vsockpaths(sandbox_id, (const char **)vsockpaths); ++ free(vsockpaths[0]); ++ free(vsockpaths[1]); ++ free(vsockpaths[2]); ++ vsockpaths[0] = NULL; ++ vsockpaths[1] = NULL; ++ vsockpaths[2] = NULL; ++ } ++ ++ return ret; ++} ++ ++static void delete_single_vsockpath(const char *sandbox_id, const char *vsockpath) ++{ ++ uint32_t cid; ++ uint32_t port; ++ ++ if (vsockpath == NULL) { ++ return; ++ } ++ if (!parse_vsock_path(vsockpath, &cid, &port)) { ++ ERROR("Failed to parse vsock path, %s", vsockpath); ++ return; ++ } ++ release_vsock_port_for_sandbox(sandbox_id, port); ++} ++ ++void delete_daemon_vsockpaths(const char *sandbox_id, const char *vsockpaths[]) ++{ ++ if (sandbox_id == NULL || vsockpaths == NULL) { ++ return; ++ } ++ if (vsockpaths[0] != NULL) { ++ delete_single_vsockpath(sandbox_id, vsockpaths[0]); ++ } ++ if (vsockpaths[1] != NULL) { ++ delete_single_vsockpath(sandbox_id, vsockpaths[1]); ++ } ++ if (vsockpaths[2] != NULL) { ++ delete_single_vsockpath(sandbox_id, vsockpaths[2]); ++ } ++} ++ ++enum IOFlowType{ ++ IO_SRC = 0, ++ IO_DST, ++ IO_FLOW_INVALID, ++}; ++ ++static ssize_t WriteToFIFO(void *context, const void *data, size_t len) ++{ ++ ssize_t ret; ++ int fd; ++ ++ fd = *(int *)context; ++ ret = util_write_nointr_in_total(fd, static_cast(data), len); ++ if ((ret < 0) || (size_t)ret != len) { ++ SYSERROR("Failed to write %d", fd); ++ return -1; ++ } ++ return ret; ++} ++ ++static ssize_t WriteToFd(void *context, const void *data, size_t len) ++{ ++ ssize_t ret; ++ ++ ret = util_write_nointr(*(int *)context, static_cast(data), len); ++ if (ret < 0 || (size_t)ret != len) { ++ SYSERROR("Failed to write"); ++ return -1; ++ } ++ return ret; ++} ++ ++class IOEntry { ++public: ++ IOEntry() ++ { ++ m_initialized = false; ++ m_fd = -1; ++ m_flags = 0; ++ m_flowType = IO_FLOW_INVALID; ++ } ++ ++ virtual ~IOEntry() = default; ++ ++ virtual int Init() = 0; ++ ++ bool Initialized() const ++ { ++ return m_initialized; ++ } ++ ++ virtual int GetFd() ++ { ++ if (!Initialized()) { ++ return -1; ++ } ++ return m_fd; ++ } ++ ++ virtual struct io_write_wrapper *GetWriter() ++ { ++ if (!Initialized()) { ++ return NULL; ++ } ++ if (m_flowType == IO_SRC) { ++ return NULL; ++ } ++ return &m_writer; ++ } ++ virtual std::string ToString() = 0; ++protected: ++ int m_flags; ++ bool m_initialized; ++ int m_fd; ++ struct io_write_wrapper m_writer; ++ IOFlowType m_flowType; ++}; ++ ++ ++ ++class IOFdEntry : public IOEntry { ++public: ++ IOFdEntry(int fd, IOFlowType flowType): IOEntry() ++ { ++ m_fd = fd; ++ m_flowType = flowType; ++ } ++ ++ ~IOFdEntry() override ++ { ++ if (m_initialized && m_fd >= 0) { ++ close(m_fd); ++ m_fd = -1; ++ } ++ } ++ ++ int Init() override ++ { ++ if (m_initialized) { ++ return 0; ++ } ++ if (m_flowType == IO_DST) { ++ m_writer.context = &m_fd; ++ m_writer.write_func = WriteToFd; ++ } ++ m_initialized = true; ++ return 0; ++ } ++ ++ std::string ToString() override ++ { ++ return "file descriptor " + std::to_string(m_fd); ++ } ++}; ++ ++class IOFifoEntry : public IOEntry { ++public: ++ IOFifoEntry(const char *path, int flags, IOFlowType flowType): IOEntry() ++ { ++ m_fifoPath = path; ++ m_flags = flags; ++ m_flowType = flowType; ++ } ++ ++ ~IOFifoEntry() override ++ { ++ if (m_initialized && m_fd >= 0) { ++ console_fifo_close(m_fd); ++ m_fd = -1; ++ } ++ } ++ ++ int Init() override ++ { ++ if (m_initialized) { ++ return 0; ++ } ++ ++ if (m_flowType == IO_SRC) { ++ if (console_fifo_open(m_fifoPath.c_str(), &m_fd, m_flags) != 0) { ++ ERROR("Failed to open fifo, %s", m_fifoPath.c_str()); ++ return -1; ++ } ++ } else { ++ if (console_fifo_open_withlock(m_fifoPath.c_str(), &m_fd, m_flags)) { ++ ERROR("Failed to open console fifo."); ++ return -1; ++ } ++ m_writer.context = &m_fd; ++ m_writer.write_func = WriteToFIFO; ++ } ++ m_initialized = true; ++ return 0; ++ } ++ ++ std::string ToString() override ++ { ++ return "FIFO " + m_fifoPath; ++ } ++private: ++ std::string m_fifoPath; ++}; ++ ++class IOVsockEntry : public IOEntry { ++public: ++ IOVsockEntry(const char *path, int flags, IOFlowType flowType): IOEntry() ++ { ++ m_vsockPath = path; ++ m_flags = flags; ++ m_flowType = flowType; ++ } ++ ++ ~IOVsockEntry() override ++ { ++ if (m_initialized && m_fd >= 0) { ++ close(m_fd); ++ m_fd = -1; ++ } ++ } ++ ++ int Init() override ++ { ++ if (m_initialized) { ++ return 0; ++ } ++ if (vsock_open(m_vsockPath.c_str(), &m_fd, m_flags) != 0) { ++ ERROR("Failed to open vsock, %s", m_vsockPath.c_str()); ++ return -1; ++ } ++ if (m_flowType != IO_SRC) { ++ m_writer.context = &m_fd; ++ m_writer.write_func = WriteToFd; ++ } ++ m_initialized = true; ++ return 0; ++ } ++ ++ std::string ToString() override ++ { ++ return "vsock " + m_vsockPath; ++ } ++private: ++ std::string m_vsockPath; ++}; ++ ++class IOFuncEntry : public IOEntry { ++public: ++ IOFuncEntry(struct io_write_wrapper *handler, IOFlowType flowType): IOEntry() ++ { ++ m_handler = handler; ++ m_flowType = flowType; ++ } ++ ++ ~IOFuncEntry() override ++ { ++ if (m_initialized && m_handler != NULL) { ++ if (m_handler->close_func != NULL) { ++ m_handler->close_func(m_handler->context, NULL); ++ } ++ m_handler = NULL; ++ } ++ } ++ ++ int Init() override ++ { ++ if (m_initialized) { ++ return 0; ++ } ++ if (m_flowType == IO_SRC) { ++ ERROR("IO func entry should not be used for stdin channel"); ++ return -1; ++ } ++ m_writer.context = m_handler->context; ++ m_writer.write_func = m_handler->write_func; ++ m_writer.close_func = m_handler->close_func; ++ m_initialized = true; ++ return 0; ++ } ++ ++ std::string ToString() override ++ { ++ return "IO func entry"; ++ } ++private: ++ struct io_write_wrapper *m_handler; ++}; ++ ++/** ++ * IOCopy defines the copy relationship between two IO. ++ * It defines source IOEntry to read data from, destination IOEntry to write data to, ++ * and the transfer channel type. ++ */ ++class IOCopy { ++public: ++ IOCopy(std::unique_ptr src, std::unique_ptr dst, transfer_channel_type channel) ++ { ++ m_src = std::move(src); ++ m_dst = std::move(dst); ++ m_channel = channel; ++ } ++ ~IOCopy() = default; ++ IOEntry &GetSrc() ++ { ++ return *m_src; ++ } ++ IOEntry &GetDst() ++ { ++ return *m_dst; ++ } ++ transfer_channel_type GetChannel() ++ { ++ return m_channel; ++ } ++private: ++ std::unique_ptr m_src; ++ std::unique_ptr m_dst; ++ transfer_channel_type m_channel; ++}; ++ ++class IOCopyCollection { ++public: ++ IOCopyCollection() = default; ++ ~IOCopyCollection() = default; ++ void AddIOCopy(std::unique_ptr src, std::unique_ptr dst, transfer_channel_type channel) ++ { ++ m_copies.push_back(std::unique_ptr(new IOCopy(std::move(src), std::move(dst), channel))); ++ } ++ ++ int Init() ++ { ++ for (auto © : m_copies) { ++ if (copy->GetSrc().Init() != 0) { ++ ERROR("Failed to init src IO, %s", copy->GetSrc().ToString().c_str()); ++ return -1; ++ } ++ if (copy->GetDst().Init() != 0) { ++ ERROR("Failed to init dst IO, %s", copy->GetDst().ToString().c_str()); ++ return -1; ++ } ++ } ++ return 0; ++ } ++ ++ size_t Size() ++ { ++ return m_copies.size(); ++ } ++ ++ int *GetSrcFds() ++ { ++ size_t len = m_copies.size(); ++ int *fds = new int[len]; ++ for (size_t i = 0; i < len; i++) { ++ int fd = m_copies[i]->GetSrc().GetFd(); ++ if (fd < 0) { ++ ERROR("Invalid fd: %s", m_copies[i]->GetSrc().ToString().c_str()); ++ delete[] fds; ++ return NULL; ++ } ++ fds[i] = m_copies[i]->GetSrc().GetFd(); ++ } ++ return fds; ++ } ++ ++ struct io_write_wrapper *GetDstWriters() ++ { ++ size_t len = m_copies.size(); ++ struct io_write_wrapper *writers = new struct io_write_wrapper[len]; ++ for (size_t i = 0; i < len; i++) { ++ struct io_write_wrapper *writer = m_copies[i]->GetDst().GetWriter(); ++ if (writer == NULL) { ++ ERROR("Invalid writer: %s", m_copies[i]->GetDst().ToString().c_str()); ++ delete[] writers; ++ return NULL; ++ } ++ writers[i] = *writer; ++ } ++ return writers; ++ } ++ ++ transfer_channel_type *GetChannels() ++ { ++ size_t len = m_copies.size(); ++ transfer_channel_type *channels = new transfer_channel_type[len]; ++ for (size_t i = 0; i < len; i++) { ++ channels[i] = m_copies[i]->GetChannel(); ++ } ++ return channels; ++ } ++ ++private: ++ std::vector> m_copies; ++}; ++ ++/** ++ * IO Copy module basically connect two IO together, and copy data from one to another. ++ * For the IO between iSula/Websocket and iSulad, there are two forms: ++ * 1. FIFO: iSula/Websocket will create three fifo files for communication with iSulad. ++ * 2. FD and Callback: iSula/Websocket will use fd for input Channel with iSulad, ++ * and use callback for output and error Channel. ++ * The IO between iSulad and container could be different types, such as FIFO, VSOCK. ++ -------------------------------------------------------------------------------------- ++ | CHANNEL | iSula/Websocket iSulad container| ++ -------------------------------------------------------------------------------------- ++ | | fifoin | stdin_fd vsocks[0] | ++ | IN | RDWR --------> RD RDWR --------> RD | ++ -------------------------------------------------------------------------------------- ++ | | fifoout | stdout_handler vsocks[1] | ++ | OUT | RD <-------- WR RD <-------- WR | ++ -------------------------------------------------------------------------------------- ++ | | fifoerr stderr_handler vsocks[2] | ++ | ERR | RD <-------- WR RD <-------- WR | ++ -------------------------------------------------------------------------------------- ++*/ ++static void PrepareIOCopyCollection(const char *fifoin, const char *fifoout, const char *fifoerr, ++ int stdin_fd, struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, ++ const char *vsocks[], IOCopyCollection &ioCollection) ++{ ++ if (fifoin != NULL) { ++ ioCollection.AddIOCopy(std::unique_ptr(new IOFifoEntry(fifoin, O_RDONLY | O_NONBLOCK, IO_SRC)), ++ std::unique_ptr(new IOVsockEntry(vsocks[0], O_WRONLY | O_NONBLOCK, IO_DST)), STDIN_CHANNEL); ++ } ++ if (fifoout != NULL) { ++ ioCollection.AddIOCopy(std::unique_ptr(new IOVsockEntry(vsocks[1], O_RDONLY | O_NONBLOCK, IO_SRC)), ++ std::unique_ptr(new IOFifoEntry(fifoout, O_WRONLY | O_NONBLOCK, IO_DST)), STDOUT_CHANNEL); ++ } ++ if (fifoerr != NULL) { ++ ioCollection.AddIOCopy(std::unique_ptr(new IOVsockEntry(vsocks[2], O_RDONLY | O_NONBLOCK, IO_SRC)), ++ std::unique_ptr(new IOFifoEntry(fifoerr, O_WRONLY | O_NONBLOCK, IO_DST)), STDERR_CHANNEL); ++ } ++ if (stdin_fd >= 0) { ++ ioCollection.AddIOCopy(std::unique_ptr(new IOFdEntry(stdin_fd, IO_SRC)), ++ std::unique_ptr(new IOVsockEntry(vsocks[0], O_WRONLY | O_NONBLOCK, IO_DST)), STDIN_CHANNEL); ++ } ++ if (stdout_handler != NULL) { ++ ioCollection.AddIOCopy(std::unique_ptr(new IOVsockEntry(vsocks[1], O_RDONLY | O_NONBLOCK, IO_SRC)), ++ std::unique_ptr(new IOFuncEntry(stdout_handler, IO_DST)), STDOUT_CHANNEL); ++ } ++ if (stderr_handler != NULL) { ++ ioCollection.AddIOCopy(std::unique_ptr(new IOVsockEntry(vsocks[2], O_RDONLY | O_NONBLOCK, IO_SRC)), ++ std::unique_ptr(new IOFuncEntry(stderr_handler, IO_DST)), STDERR_CHANNEL); ++ } ++} ++ ++struct IOCopyThreadArgs { ++ IOCopyCollection ioCollection; ++ int sync_fd; ++ bool detach; ++ std::string exec_id; ++ IOCopyThreadArgs() = default; ++ ~IOCopyThreadArgs() = default; ++}; ++ ++static void *IOCopyThread(void *arg) ++{ ++ if (arg == NULL) { ++ return NULL; ++ } ++ ++ std::unique_ptr threadArg((struct IOCopyThreadArgs *)arg); ++ ++ if (threadArg->detach) { ++ if (pthread_detach(pthread_self()) != 0) { ++ CRIT("Set thread detach fail"); ++ return NULL; ++ } ++ } ++ ++ std::string tname = "IoCopy"; ++ if (!threadArg->exec_id.empty()) { ++ // The name of the thread cannot be longer than 16 bytes, ++ // so just use the first 4 bytes of exec_id as thread name. ++ tname = "IoCopy-" + threadArg->exec_id.substr(0, 4); ++ } ++ ++ (void)prctl(PR_SET_NAME, tname.c_str()); ++ ++ if (threadArg->ioCollection.Init() != 0) { ++ ERROR("Failed to init IO copy collection"); ++ return NULL; ++ } ++ ++ size_t len = threadArg->ioCollection.Size(); ++ if (len == 0) { ++ ERROR("No IO copy to be done"); ++ return NULL; ++ } ++ ++ std::unique_ptr srcfds(threadArg->ioCollection.GetSrcFds()); ++ if (srcfds == NULL) { ++ ERROR("Failed to get src fds"); ++ return NULL; ++ } ++ ++ std::unique_ptr writers(threadArg->ioCollection.GetDstWriters()); ++ if (writers == NULL) { ++ ERROR("Failed to get dst writers"); ++ return NULL; ++ } ++ ++ std::unique_ptr channels(threadArg->ioCollection.GetChannels()); ++ if (channels == NULL) { ++ ERROR("Failed to get channels"); ++ return NULL; ++ } ++ ++ (void)console_loop_io_copy(threadArg->sync_fd, srcfds.get(), writers.get(), channels.get(), len); ++ return NULL; ++} ++ ++int start_vsock_io_copy(const char *exec_id, int sync_fd, bool detach, const char *fifoin, const char *fifoout, const char *fifoerr, ++ int stdin_fd, struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, ++ const char *vsocks[], pthread_t *tid) ++{ ++ if (sync_fd < 0 || vsocks == NULL || tid == NULL) { ++ ERROR("Invalid NULL arguments"); ++ return -1; ++ } ++ ++ struct IOCopyThreadArgs *args = new IOCopyThreadArgs(); ++ args->sync_fd = sync_fd; ++ args->detach = detach; ++ if (exec_id != NULL) { ++ args->exec_id = exec_id; ++ } ++ ++ PrepareIOCopyCollection(fifoin, fifoout, fifoerr, stdin_fd, stdout_handler, stderr_handler, vsocks, args->ioCollection); ++ ++ int ret = pthread_create(tid, NULL, IOCopyThread, (void *)args); ++ if (ret != 0) { ++ CRIT("Thread creation failed"); ++ delete args; ++ } ++ ++ return ret; ++} +diff --git a/src/daemon/modules/service/vsock_io_handler.h b/src/daemon/modules/service/vsock_io_handler.h +new file mode 100644 +index 00000000..cc0c1dd0 +--- /dev/null ++++ b/src/daemon/modules/service/vsock_io_handler.h +@@ -0,0 +1,46 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: xuxuepeng ++ * Create: 2023-09-04 ++ * Description: provide vsock io functions ++ ********************************************************************************/ ++ ++#ifndef DAEMON_MODULES_SERVICE_VSOCK_IO_H ++#define DAEMON_MODULES_SERVICE_VSOCK_IO_H ++ ++#include ++#include ++ ++#ifdef __cplusplus ++extern "C" ++{ ++#endif ++ ++bool is_vsock_path(const char *path); ++ ++bool parse_vsock_path(const char *vsock_path, uint32_t *cid, uint32_t *port); ++ ++int vsock_open(const char *vsock_path, int *fdout, int flags); ++ ++int create_daemon_vsockpaths(const char *sandbox_id, uint32_t cid, bool attach_stdin, bool attach_stdout, ++ bool attach_stderr, char *vsockpaths[]); ++ ++void delete_daemon_vsockpaths(const char *sandbox_id, const char *vsockpaths[]); ++ ++int start_vsock_io_copy(const char *exec_id, int sync_fd, bool detach, const char *fifoin, const char *fifoout, const char *fifoerr, ++ int stdin_fd, struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, ++ const char *vsocks[], pthread_t *tid); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif // DAEMON_MODULES_SERVICE_VSOCK_IO_H +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index 968dae24..94c2684a 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -43,6 +43,8 @@ + namespace sandbox { + + const std::string SHM_MOUNT_POINT = "/dev/shm"; ++const uint32_t VSOCK_START_PORT = 2000; ++const uint32_t VSOCK_END_PORT = 65535; + + static int WriteDefaultSandboxHosts(const std::string &path, const std::string &hostname) + { +@@ -1014,6 +1016,25 @@ void Sandbox::SetNetworkSettings(const std::string &settings, Errors &error) + } + } + ++auto Sandbox::FindAvailableVsockPort(uint32_t &port) -> bool ++{ ++ std::unique_lock lock(m_vsockPortsMutex); ++ for (uint32_t i = VSOCK_START_PORT; i < VSOCK_END_PORT; i++) { ++ if (m_vsockPorts.find(i) == m_vsockPorts.end()) { ++ m_vsockPorts.insert(i); ++ port = i; ++ return true; ++ } ++ } ++ return false; ++} ++ ++void Sandbox::ReleaseVsockPort(uint32_t port) ++{ ++ std::unique_lock lock(m_vsockPortsMutex); ++ m_vsockPorts.erase(port); ++} ++ + auto Sandbox::GetTaskAddress() const -> const std::string & + { + return m_taskAddress; +diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h +index 6ae2750f..0f135e70 100644 +--- a/src/daemon/sandbox/sandbox.h ++++ b/src/daemon/sandbox/sandbox.h +@@ -117,6 +117,8 @@ public: + auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo; + void SetNetworkReady(bool ready); + void SetNetworkMode(const std::string &networkMode); ++ auto FindAvailableVsockPort(uint32_t &port) -> bool; ++ void ReleaseVsockPort(uint32_t port); + auto CleanupSandboxFiles(Errors &error) -> bool; + + // Save to file +@@ -205,6 +207,10 @@ private: + + // it should select accroding to the config + std::shared_ptr m_controller { nullptr }; ++ ++ // vsock ports ++ std::mutex m_vsockPortsMutex; ++ std::set m_vsockPorts; + }; + + } // namespace sandbox +-- +2.25.1 + diff --git a/0008-reinforce-omit-health_check.sh.patch b/0008-reinforce-omit-health_check.sh.patch deleted file mode 100644 index 9d81e619c8ad98fc2c5d69839f3702d74a128aae..0000000000000000000000000000000000000000 --- a/0008-reinforce-omit-health_check.sh.patch +++ /dev/null @@ -1,166 +0,0 @@ -From ab3d902b09ace8d69172a4ea6cf9771a21540ffb Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Mon, 22 May 2023 19:37:23 +0800 -Subject: [PATCH 8/9] reinforce omit health_check.sh - -Signed-off-by: zhongtao ---- - CI/test_cases/container_cases/health_check.sh | 100 +++++++++++++++--- - 1 file changed, 83 insertions(+), 17 deletions(-) - -diff --git a/CI/test_cases/container_cases/health_check.sh b/CI/test_cases/container_cases/health_check.sh -index 28af6149..0bbad16e 100755 ---- a/CI/test_cases/container_cases/health_check.sh -+++ b/CI/test_cases/container_cases/health_check.sh -@@ -29,6 +29,9 @@ isula pull ${image} - function test_health_check_paraments() - { - local ret=0 -+ local retry_limit=10 -+ local retry_interval=1 -+ local success=1 - local test="list && inspect image info test => (${FUNCNAME[@]})" - - msg_info "${test} starting..." -@@ -45,16 +48,33 @@ function test_health_check_paraments() - [[ $(isula inspect -f '{{.State.Status}}' ${container_name}) == "running" ]] - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container status: not running" && ((ret++)) - -- sleep 13 # finish first health check -+ # finish first health check -+ sleep 10 -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "starting" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done - - # keep starting status with health check return non-zero at always until status change to unhealthy -- [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "starting" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not starting" && ((ret++)) -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not starting" && ((ret++)) - - sleep 6 # finish second health check - -- [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "unhealthy" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not unhealthy" && ((ret++)) -+ success=1 -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "unhealthy" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done -+ -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not unhealthy" && ((ret++)) - - # validate --health-retries option - [[ $(isula inspect -f '{{.State.Health.FailingStreak}}' ${container_name}) == "2" ]] -@@ -77,6 +97,9 @@ function test_health_check_normally() - { - local ret=0 - local image="busybox" -+ local retry_limit=10 -+ local retry_interval=1 -+ local success=1 - local test="list && inspect image info test => (${FUNCNAME[@]})" - - msg_info "${test} starting..." -@@ -92,25 +115,60 @@ function test_health_check_normally() - [[ $(isula inspect -f '{{.State.Status}}' ${container_name}) == "running" ]] - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container status: not running" && ((ret++)) - -- sleep 2 # Health check has been performed yet -+ # Health check has been performed yet -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "starting" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done - - # Initial status when the container is still starting -- [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "starting" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not starting" && ((ret++)) -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not starting" && ((ret++)) - - sleep 8 # finish first health check -+ -+ success=1 -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "healthy" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done - # When the health check returns successfully, status immediately becomes healthy -- [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "healthy" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not healthy" && ((ret++)) -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not healthy" && ((ret++)) - -- kill -9 $(isula inspect -f '{{.State.Pid}}' ${container_name}) && sleep 2 # Wait for the container to be killed -+ kill -9 $(isula inspect -f '{{.State.Pid}}' ${container_name}) -+ -+ # Wait for the container to be killed -+ success=1 -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "unhealthy" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done - - # The container process exits abnormally and the health check status becomes unhealthy -- [[ $(isula inspect -f '{{.State.Health.Status}}' ${container_name}) == "unhealthy" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not unhealthy" && ((ret++)) -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not unhealthy" && ((ret++)) - -- [[ $(isula inspect -f '{{.State.ExitCode}}' ${container_name}) == "137" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container exit code: not 137" && ((ret++)) -+ success=1 -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.ExitCode}}' ${container_name}) == "137" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done -+ -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container exit code: not 137" && ((ret++)) - - isula rm -f ${container_name} - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to remove container: ${container_name}" && ((ret++)) -@@ -168,8 +226,16 @@ function test_health_check_timeout() - # The container process exits and the health check status becomes unhealthy - [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container health check status: not unhealthy" && ((ret++)) - -- [[ $(isula inspect -f '{{.State.ExitCode}}' ${container_name}) == "137" ]] -- [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container exit code: not 137" && ((ret++)) -+ success=1 -+ for i in $(seq 1 "$retry_limit"); do -+ [[ $(isula inspect -f '{{.State.ExitCode}}' ${container_name}) == "137" ]] -+ if [ $? -eq 0 ]; then -+ success=0 -+ break; -+ fi -+ sleep $retry_interval -+ done -+ [[ $success -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container exit code: not 137" && ((ret++)) - - isula rm -f ${container_name} - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to remove container: ${container_name}" && ((ret++)) --- -2.40.1 - diff --git a/0009-fix-memory-leak-and-array-access-out-of-range.patch b/0009-fix-memory-leak-and-array-access-out-of-range.patch deleted file mode 100644 index f0cee17bb0c29227e69119b552b652020a6e0736..0000000000000000000000000000000000000000 --- a/0009-fix-memory-leak-and-array-access-out-of-range.patch +++ /dev/null @@ -1,75 +0,0 @@ -From ab1f394910103615d015077d538cb71c363397fc Mon Sep 17 00:00:00 2001 -From: "Neil.wrz" -Date: Tue, 23 May 2023 19:01:40 -0700 -Subject: [PATCH 9/9] fix memory leak and array access out of range - -Signed-off-by: Neil.wrz ---- - .../oci/storage/remote_layer_support/remote_support.c | 4 ++-- - .../storage/remote_layer_support/ro_symlink_maintain.c | 2 +- - src/utils/http/parser.c | 10 ++++++++++ - 3 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -index 748298cb..400678c4 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -@@ -105,12 +105,12 @@ int remote_start_refresh_thread(pthread_rwlock_t *remote_lock) - res = pthread_create(&a_thread, NULL, remote_refresh_ro_symbol_link, (void *)&supporters); - if (res != 0) { - CRIT("Thread creation failed"); -- return -1; -+ goto free_out; - } - - if (pthread_detach(a_thread) != 0) { - SYSERROR("Failed to detach 0x%lx", a_thread); -- return -1; -+ goto free_out; - } - - return 0; -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c b/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -index 0e2b671b..2bcc43e6 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -@@ -136,7 +136,7 @@ static int do_build_ro_dir(const char *home, const char *id) - nret = asprintf(&ro_layer_dir, "%s/%s/%s", home, REMOTE_RO_LAYER_DIR, id); - if (nret < 0 || nret > PATH_MAX) { - SYSERROR("Failed to create ro layer dir path"); -- return -1; -+ goto out; - } - - if (util_mkdir_p(ro_layer_dir, IMAGE_STORE_PATH_MODE) != 0) { -diff --git a/src/utils/http/parser.c b/src/utils/http/parser.c -index 12df2435..a79893ba 100644 ---- a/src/utils/http/parser.c -+++ b/src/utils/http/parser.c -@@ -88,6 +88,11 @@ static int parser_cb_header_field(http_parser *parser, const char *buf, - m->num_headers++; - } - -+ if (m->num_headers == 0) { -+ ERROR("Failed to parse header field because headers num is 0"); -+ return -1; -+ } -+ - strlncat(m->headers[m->num_headers - 1][0], sizeof(m->headers[m->num_headers - 1][0]), buf, len); - - m->last_header_element = FIELD; -@@ -100,6 +105,11 @@ static int parser_cb_header_value(http_parser *parser, const char *buf, - size_t len) - { - struct parsed_http_message *m = parser->data; -+ -+ if (m->num_headers == 0) { -+ ERROR("Failed to parse header value because headers num is 0"); -+ return -1; -+ } - - strlncat(m->headers[m->num_headers - 1][1], sizeof(m->headers[m->num_headers - 1][1]), buf, len); - m->last_header_element = VALUE; --- -2.40.1 - diff --git a/0009-remove-unneccessary-strerror.patch b/0009-remove-unneccessary-strerror.patch new file mode 100644 index 0000000000000000000000000000000000000000..242d3858aa9288c173fb745537e25ef6184950ab --- /dev/null +++ b/0009-remove-unneccessary-strerror.patch @@ -0,0 +1,2669 @@ +From 3536723347722180d8964edf7687bef6343edc77 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Mon, 4 Sep 2023 10:44:35 +0800 +Subject: [PATCH 09/32] remove unneccessary strerror + +1. use SYS-log to replace log; +2. remove unuseful strerror; + +Signed-off-by: haozi007 +--- + src/cmd/isula/base/create.c | 4 +- + src/cmd/isula/base/start.c | 2 +- + src/cmd/isula/extend/export.c | 2 +- + src/cmd/isula/images/images.c | 2 +- + src/cmd/isula/images/import.c | 2 +- + src/cmd/isula/images/load.c | 2 +- + src/cmd/isula/images/login.c | 6 +- + src/cmd/isula/isula_host_spec.c | 2 +- + src/cmd/isula/stream/attach.c | 2 +- + src/cmd/isula/stream/exec.c | 4 +- + src/cmd/isulad/main.c | 18 +-- + src/daemon/common/cgroup.c | 4 +- + src/daemon/common/sysinfo.c | 6 +- + src/daemon/entry/connect/grpc/grpc_service.cc | 2 +- + src/daemon/entry/connect/rest/rest_service.c | 4 +- + .../entry/cri/streams/websocket/ws_server.cc | 8 +- + .../cri_pod_sandbox_manager_service.cc | 2 +- + src/daemon/executor/container_cb/execution.c | 8 +- + .../container_cb/execution_information.c | 2 +- + .../executor/container_cb/execution_stream.c | 20 +-- + .../container/container_gc/containers_gc.c | 4 +- + src/daemon/modules/container/container_unix.c | 2 +- + .../container/leftover_cleanup/cleanup.c | 2 +- + .../modules/container/supervisor/supervisor.c | 6 +- + src/daemon/modules/events/monitord.c | 8 +- + .../modules/events_sender/event_sender.c | 2 +- + .../modules/image/embedded/db/sqlite_common.c | 2 +- + src/daemon/modules/image/external/ext_image.c | 2 +- + .../modules/image/image_rootfs_handler.c | 4 +- + src/daemon/modules/image/oci/oci_load.c | 2 +- + .../modules/image/oci/registry/registry.c | 11 +- + .../graphdriver/devmapper/deviceset.c | 10 +- + .../graphdriver/devmapper/wrapper_devmapper.c | 4 +- + .../oci/storage/layer_store/layer_store.c | 10 +- + .../modules/image/oci/storage/storage.c | 2 +- + src/daemon/modules/image/oci/utils_images.c | 6 +- + src/daemon/modules/log/log_gather.c | 18 +-- + .../network/cni_operator/libcni/libcni_conf.c | 2 +- + .../modules/runtime/engines/lcr/lcr_rt_ops.c | 6 +- + .../modules/runtime/isula/isula_rt_ops.c | 10 +- + .../modules/runtime/shim/shim_rt_monitor.cc | 2 +- + src/daemon/modules/runtime/shim/shim_rt_ops.c | 4 +- + src/daemon/modules/service/io_handler.c | 4 +- + .../modules/service/service_container.c | 13 +- + src/daemon/modules/service/service_network.c | 6 +- + src/daemon/modules/spec/specs.c | 2 +- + src/daemon/modules/spec/specs_mount.c | 2 +- + src/daemon/modules/spec/verify.c | 6 +- + src/daemon/modules/volume/local.c | 12 +- + src/daemon/sandbox/sandbox.cc | 2 +- + src/utils/console/console.c | 16 +-- + src/utils/cutils/network_namespace.c | 2 +- + src/utils/cutils/path.c | 4 +- + src/utils/cutils/utils.c | 12 +- + src/utils/cutils/utils_aes.c | 16 +-- + src/utils/cutils/utils_base64.c | 4 +- + src/utils/cutils/utils_file.c | 80 ++++++------ + src/utils/cutils/utils_fs.c | 12 +- + src/utils/cutils/utils_port.c | 14 +-- + src/utils/cutils/utils_verify.c | 2 +- + src/utils/http/http.c | 2 +- + src/utils/sha256/sha256.c | 8 +- + src/utils/tar/isulad_tar.c | 12 +- + src/utils/tar/util_archive.c | 118 ++++++++---------- + src/utils/tar/util_gzip.c | 12 +- + 65 files changed, 282 insertions(+), 300 deletions(-) + +diff --git a/src/cmd/isula/base/create.c b/src/cmd/isula/base/create.c +index ecb197bc..aa90c5d6 100644 +--- a/src/cmd/isula/base/create.c ++++ b/src/cmd/isula/base/create.c +@@ -1945,7 +1945,7 @@ static int check_hook_spec_file(const char *hook_spec) + return -1; + } + if (stat(hook_spec, &hookstat)) { +- COMMAND_ERROR("Stat hook spec file failed: %s", strerror(errno)); ++ CMD_SYSERROR("Stat hook spec file failed"); + return -1; + } + if ((hookstat.st_mode & S_IFMT) != S_IFREG) { +@@ -1987,7 +1987,7 @@ static int create_check_rootfs(struct client_arguments *args) + if (args->create_rootfs != NULL) { + char real_path[PATH_MAX] = { 0 }; + if (realpath(args->create_rootfs, real_path) == NULL) { +- COMMAND_ERROR("Failed to get rootfs '%s': %s", args->create_rootfs, strerror(errno)); ++ CMD_SYSERROR("Failed to get rootfs '%s'.", args->create_rootfs); + ret = -1; + goto out; + } +diff --git a/src/cmd/isula/base/start.c b/src/cmd/isula/base/start.c +index ca3634e1..1d0f1256 100644 +--- a/src/cmd/isula/base/start.c ++++ b/src/cmd/isula/base/start.c +@@ -200,7 +200,7 @@ void client_wait_fifo_exit(const struct client_arguments *args) + void client_restore_console(bool reset_tty, const struct termios *oldtios, struct command_fifo_config *console_fifos) + { + if (reset_tty && tcsetattr(0, TCSAFLUSH, oldtios) < 0) { +- WARN("Failed to reset terminal properties: %s.", strerror(errno)); ++ SYSWARN("Failed to reset terminal properties."); + } + free_command_fifo_config(console_fifos); + sem_destroy(&g_console_waitopen_sem); +diff --git a/src/cmd/isula/extend/export.c b/src/cmd/isula/extend/export.c +index 68d17c82..d8f3574c 100644 +--- a/src/cmd/isula/extend/export.c ++++ b/src/cmd/isula/extend/export.c +@@ -114,7 +114,7 @@ int cmd_export_main(int argc, const char **argv) + int sret; + char cwd[PATH_MAX] = { 0 }; + if (!getcwd(cwd, sizeof(cwd))) { +- COMMAND_ERROR("get cwd failed:%s", strerror(errno)); ++ CMD_SYSERROR("get cwd failed"); + exit(ECOMMON); + } + sret = snprintf(file, sizeof(file), "%s/%s", cwd, g_cmd_export_args.file); +diff --git a/src/cmd/isula/images/images.c b/src/cmd/isula/images/images.c +index bff07f76..bd9dc18b 100644 +--- a/src/cmd/isula/images/images.c ++++ b/src/cmd/isula/images/images.c +@@ -65,7 +65,7 @@ static char *trans_time(int64_t created) + time_t created_time = (time_t)created; + + if (!localtime_r(&created_time, &t)) { +- ERROR("translate time for created failed: %s", strerror(errno)); ++ SYSERROR("translate time for created failed."); + return NULL; + } + +diff --git a/src/cmd/isula/images/import.c b/src/cmd/isula/images/import.c +index 7b6eb2a9..f28fe04c 100644 +--- a/src/cmd/isula/images/import.c ++++ b/src/cmd/isula/images/import.c +@@ -126,7 +126,7 @@ int cmd_import_main(int argc, const char **argv) + int len = 0; + + if (!getcwd(cwd, sizeof(cwd))) { +- COMMAND_ERROR("get cwd failed:%s", strerror(errno)); ++ CMD_SYSERROR("get cwd failed"); + exit(exit_code); + } + +diff --git a/src/cmd/isula/images/load.c b/src/cmd/isula/images/load.c +index 688edd02..314e5d5e 100644 +--- a/src/cmd/isula/images/load.c ++++ b/src/cmd/isula/images/load.c +@@ -150,7 +150,7 @@ int cmd_load_main(int argc, const char **argv) + int len; + + if (!getcwd(cwd, sizeof(cwd))) { +- COMMAND_ERROR("get cwd failed:%s", strerror(errno)); ++ CMD_SYSERROR("get cwd failed"); + exit(exit_code); + } + +diff --git a/src/cmd/isula/images/login.c b/src/cmd/isula/images/login.c +index c35cb579..1c3b06ea 100644 +--- a/src/cmd/isula/images/login.c ++++ b/src/cmd/isula/images/login.c +@@ -99,7 +99,7 @@ static int get_password_from_notty(struct client_arguments *args) + return -1; + } + if (n < 0) { +- COMMAND_ERROR("Get password from notty stdin failed: %s", strerror(errno)); ++ CMD_SYSERROR("Get password from notty stdin failed"); + return -1; + } + args->password = util_strdup_s(password); +@@ -126,7 +126,7 @@ static int get_auth_from_terminal(struct client_arguments *args) + COMMAND_ERROR("Error: Cannot perform an interactive login from a non TTY device"); + return -1; + } +- COMMAND_ERROR("Get username failed: %s", strerror(errno)); ++ CMD_SYSERROR("Get username failed"); + return -1; + } + args->username = util_strdup_s(username); +@@ -145,7 +145,7 @@ static int get_auth_from_terminal(struct client_arguments *args) + COMMAND_ERROR("Error: Cannot perform an interactive login from a non TTY device"); + return -1; + } +- COMMAND_ERROR("Get password failed: %s", strerror(errno)); ++ CMD_SYSERROR("Get password failed"); + return -1; + } + args->password = util_strdup_s(password); +diff --git a/src/cmd/isula/isula_host_spec.c b/src/cmd/isula/isula_host_spec.c +index 765c44c0..9fa08bd2 100644 +--- a/src/cmd/isula/isula_host_spec.c ++++ b/src/cmd/isula/isula_host_spec.c +@@ -771,7 +771,7 @@ uint64_t get_proc_mem_size(const char *item) + + fp = util_fopen("/proc/meminfo", "r"); + if (fp == NULL) { +- ERROR("Failed to open /proc/meminfo: %s", strerror(errno)); ++ SYSERROR("Failed to open /proc/meminfo"); + return sysmem_limit; + } + +diff --git a/src/cmd/isula/stream/attach.c b/src/cmd/isula/stream/attach.c +index 02c67e30..ff49af92 100644 +--- a/src/cmd/isula/stream/attach.c ++++ b/src/cmd/isula/stream/attach.c +@@ -376,7 +376,7 @@ static int client_attach(struct client_arguments *args, uint32_t *exit_code) + if (errno == ETIMEDOUT) { + COMMAND_ERROR("Wait container status timeout."); + } else { +- COMMAND_ERROR("Failed to wait sem: %s", strerror(errno)); ++ CMD_SYSERROR("Failed to wait sem"); + } + ret = ECOMMON; + goto out; +diff --git a/src/cmd/isula/stream/exec.c b/src/cmd/isula/stream/exec.c +index bd8bd49a..209610be 100644 +--- a/src/cmd/isula/stream/exec.c ++++ b/src/cmd/isula/stream/exec.c +@@ -356,7 +356,7 @@ static int remote_cmd_exec(const struct client_arguments *args, uint32_t *exit_c + + out: + if (reset_tty && tcsetattr(0, TCSAFLUSH, &oldtios) < 0) { +- WARN("Failed to reset terminal properties: %s.", strerror(errno)); ++ SYSWARN("Failed to reset terminal properties."); + } + if (response->exit_code != 0) { + *exit_code = response->exit_code; +@@ -387,7 +387,7 @@ out: + sem_destroy(&g_command_waitopen_sem); + sem_destroy(&g_command_waitexit_sem); + if (reset_tty && tcsetattr(0, TCSAFLUSH, &oldtios) < 0) { +- WARN("Failed to reset terminal properties: %s.", strerror(errno)); ++ SYSWARN("Failed to reset terminal properties."); + } + return ret; + } +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index b32b6626..39cde6aa 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -179,7 +179,7 @@ static int mount_rootfs_mnt_dir(const char *mountdir) + if (info == NULL) { + ret = mount(rootfsdir, rootfsdir, "bind", MS_BIND | MS_REC, NULL); + if (ret < 0) { +- ERROR("Failed to mount parent directory %s:%s", rootfsdir, strerror(errno)); ++ SYSERROR("Failed to mount parent directory %s.", rootfsdir); + goto out; + } + } +@@ -212,7 +212,7 @@ static int umount_rootfs_mnt_dir(const char *mntdir) + + ret = umount(dir); + if (ret < 0 && errno != EINVAL) { +- WARN("Failed to umount parent directory %s:%s", dir, strerror(errno)); ++ SYSWARN("Failed to umount parent directory %s.", dir); + goto out; + } + +@@ -252,7 +252,7 @@ static void clean_residual_files() + if (checked_flag == NULL) { + ERROR("Failed to get image checked flag file path"); + } else if (unlink_ignore_enoent(checked_flag)) { +- ERROR("Unlink file: %s error: %s", checked_flag, strerror(errno)); ++ SYSERROR("Unlink file: %s.", checked_flag); + } + free(checked_flag); + +@@ -261,7 +261,7 @@ static void clean_residual_files() + if (fname == NULL) { + ERROR("Failed to get isulad pid file path"); + } else if (unlink(fname) && errno != ENOENT) { +- WARN("Unlink file: %s error: %s", fname, strerror(errno)); ++ SYSWARN("Unlink file: %s.", fname); + } + free(fname); + } +@@ -472,7 +472,7 @@ int check_and_save_pid(const char *fn) + + ret = ftruncate(fd, 0); + if (ret != 0) { +- ERROR("Failed to truncate pid file:%s to 0: %s", fn, strerror(errno)); ++ SYSERROR("Failed to truncate pid file:%s to 0.", fn); + ret = -1; + goto out; + } +@@ -486,7 +486,7 @@ int check_and_save_pid(const char *fn) + + len = util_write_nointr(fd, pidbuf, strlen(pidbuf)); + if (len < 0 || (size_t)len != strlen(pidbuf)) { +- ERROR("Failed to write pid to file:%s: %s", fn, strerror(errno)); ++ SYSERROR("Failed to write pid to file:%s.", fn); + ret = -1; + } + out: +@@ -527,7 +527,7 @@ static int check_hook_spec_file(const char *hook_spec) + return -1; + } + if (stat(hook_spec, &hookstat)) { +- ERROR("Stat hook spec file failed: %s", strerror(errno)); ++ SYSERROR("Stat hook spec file failed."); + return -1; + } + if ((hookstat.st_mode & S_IFMT) != S_IFREG) { +@@ -589,7 +589,7 @@ static void update_isulad_rlimits() + limit.rlim_cur = RLIM_INFINITY; + limit.rlim_max = RLIM_INFINITY; + if (setrlimit(RLIMIT_CORE, &limit)) { +- SYSWARN("Can not set ulimit of RLIMIT_CORE"); ++ SYSWARN("Can not set ulimit of RLIMIT_CORE."); + } + } + +@@ -813,7 +813,7 @@ static int overlay_supports_selinux(bool *supported) + *supported = false; + fp = fopen("/proc/kallsyms", "re"); + if (fp == NULL) { +- ERROR("Failed to open /proc/kallsyms: %s", strerror(errno)); ++ SYSERROR("Failed to open /proc/kallsyms."); + return -1; + } + __fsetlocking(fp, FSETLOCKING_BYCALLER); +diff --git a/src/daemon/common/cgroup.c b/src/daemon/common/cgroup.c +index a351704b..2d1cabb2 100644 +--- a/src/daemon/common/cgroup.c ++++ b/src/daemon/common/cgroup.c +@@ -596,7 +596,7 @@ int common_get_cgroup_version(void) + struct statfs fs = { 0 }; + + if (statfs(CGROUP_MOUNTPOINT, &fs) != 0) { +- ERROR("failed to statfs %s: %s", CGROUP_MOUNTPOINT, strerror(errno)); ++ SYSERROR("failed to statfs %s", CGROUP_MOUNTPOINT); + return -1; + } + +@@ -649,7 +649,7 @@ static int cgroup2_enable_all() + ret = util_write_file(CGROUP2_SUBTREE_CONTROLLER_PATH, enable_controllers, strlen(enable_controllers), + DEFAULT_CGROUP_FILE_MODE); + if (ret != 0) { +- ERROR("write %s to %s failed: %s", enable_controllers, CGROUP2_SUBTREE_CONTROLLER_PATH, strerror(errno)); ++ SYSERROR("write %s to %s failed", enable_controllers, CGROUP2_SUBTREE_CONTROLLER_PATH); + goto out; + } + +diff --git a/src/daemon/common/sysinfo.c b/src/daemon/common/sysinfo.c +index c83ff12f..957b370b 100644 +--- a/src/daemon/common/sysinfo.c ++++ b/src/daemon/common/sysinfo.c +@@ -108,7 +108,7 @@ uint64_t get_default_total_mem_size(void) + + fp = util_fopen("/proc/meminfo", "r"); + if (fp == NULL) { +- ERROR("Failed to open /proc/meminfo: %s", strerror(errno)); ++ SYSERROR("Failed to open /proc/meminfo."); + return sysmem_limit; + } + +@@ -148,10 +148,10 @@ char *get_operating_system(void) + + fp = fopen(etcOsRelease, "r"); + if (fp == NULL) { +- INFO("Failed to open %s :%s", etcOsRelease, strerror(errno)); ++ SYSINFO("Failed to open %s.", etcOsRelease); + fp = fopen(altOsRelease, "r"); + if (fp == NULL) { +- ERROR("Failed to open %s :%s", altOsRelease, strerror(errno)); ++ SYSERROR("Failed to open %s.", altOsRelease); + goto out; + } + } +diff --git a/src/daemon/entry/connect/grpc/grpc_service.cc b/src/daemon/entry/connect/grpc/grpc_service.cc +index 5adfd964..4e1ae019 100644 +--- a/src/daemon/entry/connect/grpc/grpc_service.cc ++++ b/src/daemon/entry/connect/grpc/grpc_service.cc +@@ -117,7 +117,7 @@ public: + for (const auto &address : m_socketPath) { + if (address.find(UNIX_SOCKET_PREFIX) == 0) { + if (unlink(address.c_str() + strlen(UNIX_SOCKET_PREFIX)) < 0 && errno != ENOENT) { +- WARN("Failed to remove '%s':%s", address.c_str(), strerror(errno)); ++ SYSWARN("Failed to remove '%s'.", address.c_str()); + } + } + } +diff --git a/src/daemon/entry/connect/rest/rest_service.c b/src/daemon/entry/connect/rest/rest_service.c +index 818e729d..c73fed66 100644 +--- a/src/daemon/entry/connect/rest/rest_service.c ++++ b/src/daemon/entry/connect/rest/rest_service.c +@@ -149,7 +149,7 @@ int rest_server_init(const char *socket, daemon_shutdown_cb_t shutdown_cb) + } + + if (unlink(g_socketpath + strlen(UNIX_SOCKET_PREFIX)) < 0 && errno != ENOENT) { +- ERROR("Failed to remove '%s':%s, abort", strerror(errno), g_socketpath); ++ SYSERROR("Failed to remove '%s', abort", g_socketpath); + goto error_out; + } + +@@ -190,7 +190,7 @@ void rest_server_shutdown(void) + + if (g_socketpath != NULL) { + if (unlink(g_socketpath + strlen(UNIX_SOCKET_PREFIX)) < 0 && errno != ENOENT) { +- ERROR("Failed to remove '%s':%s", g_socketpath, strerror(errno)); ++ SYSERROR("Failed to remove '%s'.", g_socketpath); + } + } + } +diff --git a/src/daemon/entry/cri/streams/websocket/ws_server.cc b/src/daemon/entry/cri/streams/websocket/ws_server.cc +index 3bb619d8..972c971f 100644 +--- a/src/daemon/entry/cri/streams/websocket/ws_server.cc ++++ b/src/daemon/entry/cri/streams/websocket/ws_server.cc +@@ -133,7 +133,7 @@ int WebsocketServer::CreateContext() + newLimit.rlim_max = WS_ULIMIT_FDS; + int limited = prlimit(0, RLIMIT_NOFILE, &newLimit, &oldLimit); + if (limited != 0) { +- WARN("Can not set ulimit of RLIMIT_NOFILE: %s", strerror(errno)); ++ SYSWARN("Can not set ulimit of RLIMIT_NOFILE"); + } + m_context = lws_create_context(&info); + if (m_context == nullptr) { +@@ -142,7 +142,7 @@ int WebsocketServer::CreateContext() + } + if (limited == 0) { + if (setrlimit(static_cast(RLIMIT_NOFILE), &oldLimit) != 0) { +- WARN("Can not set ulimit of RLIMIT_NOFILE: %s", strerror(errno)); ++ SYSWARN("Can not set ulimit of RLIMIT_NOFILE"); + } + } + +@@ -441,7 +441,7 @@ void WebsocketServer::Receive(int socketID, void *in, size_t len, bool complete) + DEBUG("Receive remaning stdin data with length %zu", len); + // Too much data may cause error 'resource temporarily unavaliable' by using 'write' + if (util_write_nointr_in_total(m_wsis[socketID]->pipes.at(1), static_cast(in), len) < 0) { +- ERROR("Sub write over! err msg: %s", strerror(errno)); ++ SYSERROR("Sub write over!"); + } + goto out; + } +@@ -458,7 +458,7 @@ void WebsocketServer::Receive(int socketID, void *in, size_t len, bool complete) + + if (*static_cast(in) == WebsocketChannel::STDINCHANNEL) { + if (util_write_nointr_in_total(m_wsis[socketID]->pipes.at(1), static_cast(in) + 1, len - 1) < 0) { +- ERROR("Sub write over! err msg: %s", strerror(errno)); ++ SYSERROR("Sub write over!"); + } + goto out; + } +diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc +index c24c1f69..6e8f40b9 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc +@@ -853,7 +853,7 @@ auto PodSandboxManagerService::ClearCniNetwork(const std::string &realSandboxID, + } + // umount netns when cni removed network successfully + if (remove_network_namespace(netnsPath.c_str()) != 0) { +- ERROR("Failed to umount directory %s:%s", netnsPath.c_str(), strerror(errno)); ++ SYSERROR("Failed to umount directory %s.", netnsPath.c_str()); + } + } + +diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c +index dbfec59e..d3571b7f 100644 +--- a/src/daemon/executor/container_cb/execution.c ++++ b/src/daemon/executor/container_cb/execution.c +@@ -277,7 +277,7 @@ static int prepare_start_io(container_t *cont, const container_start_request *re + + *sync_fd = eventfd(0, EFD_CLOEXEC); + if (*sync_fd < 0) { +- ERROR("Failed to create eventfd: %s", strerror(errno)); ++ SYSERROR("Failed to create eventfd."); + ret = -1; + goto out; + } +@@ -344,13 +344,13 @@ static int maybe_create_cpu_realtime_file(int64_t value, const char *file, const + + fd = util_open(fpath, O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, 0700); + if (fd < 0) { +- ERROR("Failed to open file: %s: %s", fpath, strerror(errno)); ++ SYSERROR("Failed to open file: %s.", fpath); + isulad_set_error_message("Failed to open file: %s: %s", fpath, strerror(errno)); + return -1; + } + nwrite = util_write_nointr(fd, buf, strlen(buf)); + if (nwrite < 0 || (size_t)nwrite != strlen(buf)) { +- ERROR("Failed to write %s to %s: %s", buf, fpath, strerror(errno)); ++ SYSERROR("Failed to write %s to %s.", buf, fpath); + isulad_set_error_message("Failed to write '%s' to '%s': %s", buf, fpath, strerror(errno)); + return -1; + } +@@ -485,7 +485,7 @@ static void handle_start_io_thread_by_cc(uint32_t cc, int sync_fd, pthread_t thr + } else { + if (sync_fd >= 0) { + if (eventfd_write(sync_fd, 1) < 0) { +- ERROR("Failed to write eventfd: %s", strerror(errno)); ++ SYSERROR("Failed to write eventfd."); + } + } + if (thread_id > 0) { +diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c +index 93e5032e..2f3d3627 100644 +--- a/src/daemon/executor/container_cb/execution_information.c ++++ b/src/daemon/executor/container_cb/execution_information.c +@@ -522,7 +522,7 @@ void execute_ps_command(char **args, const char *pid_args, size_t args_len) + + execvp("ps", params); + +- COMMAND_ERROR("Cannot get ps info with '%s':%s", pid_args, strerror(errno)); ++ CMD_SYSERROR("Cannot get ps info with '%s'.", pid_args); + + out: + exit(EXIT_FAILURE); +diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c +index 244ec6a0..7e84cca3 100644 +--- a/src/daemon/executor/container_cb/execution_stream.c ++++ b/src/daemon/executor/container_cb/execution_stream.c +@@ -265,7 +265,7 @@ static int attach_prepare_console(const container_t *cont, const container_attac + + *sync_fd = eventfd(0, EFD_CLOEXEC); + if (*sync_fd < 0) { +- ERROR("Failed to create eventfd: %s", strerror(errno)); ++ SYSERROR("Failed to create eventfd."); + ret = -1; + goto out; + } +@@ -295,7 +295,7 @@ static void handle_attach_io_thread_by_cc(uint32_t cc, int sync_fd, pthread_t th + } else { + if (sync_fd >= 0) { + if (eventfd_write(sync_fd, 1) < 0) { +- ERROR("Failed to write eventfd: %s", strerror(errno)); ++ SYSERROR("Failed to write eventfd."); + } + } + if (thread_id > 0) { +@@ -535,7 +535,7 @@ static container_path_stat *do_container_stat_path(const char *rootpath, const c + + nret = lstat(resolvedpath, &st); + if (nret < 0) { +- ERROR("lstat %s: %s", resolvedpath, strerror(errno)); ++ SYSERROR("lstat %s failed.", resolvedpath); + isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno)); + goto cleanup; + } +@@ -921,7 +921,7 @@ static int copy_to_container_check_path_valid(const container_t *cont, const cha + + nret = lstat(resolvedpath, &st); + if (nret < 0) { +- ERROR("lstat %s: %s", resolvedpath, strerror(errno)); ++ SYSERROR("lstat %s failed", resolvedpath); + isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno)); + goto cleanup; + } +@@ -1092,11 +1092,11 @@ static int64_t do_read_log_file(const char *path, int64_t require_line, long pos + util_usleep_nointerupt(1000); + } + if (fp == NULL) { +- ERROR("open file: %s failed: %s", path, strerror(errno)); ++ SYSERROR("open file: %s failed.", path); + return -1; + } + if (pos > 0 && fseek(fp, pos, SEEK_SET) != 0) { +- ERROR("fseek to %ld failed: %s", pos, strerror(errno)); ++ SYSERROR("fseek to %ld failed.", pos); + read_lines = -1; + goto out; + } +@@ -1211,12 +1211,12 @@ static int do_tail_find(FILE *fp, int64_t require_line, int64_t *get_line, long + int ret = -1; + + if (fseek(fp, 0L, SEEK_END) != 0) { +- ERROR("Fseek failed: %s", strerror(errno)); ++ SYSERROR("Fseek failed"); + goto out; + } + len = ftell(fp); + if (len < 0) { +- ERROR("Ftell failed: %s", strerror(errno)); ++ SYSERROR("Ftell failed"); + goto out; + } + if (len < SECTION_SIZE) { +@@ -1228,7 +1228,7 @@ static int do_tail_find(FILE *fp, int64_t require_line, int64_t *get_line, long + } + while (true) { + if (fseek(fp, pos, SEEK_SET) != 0) { +- ERROR("Fseek failed: %s", strerror(errno)); ++ SYSERROR("Fseek failed"); + goto out; + } + read_size = fread(buffer, sizeof(char), (size_t)step_size, fp); +@@ -1275,7 +1275,7 @@ static int util_find_tail_position(const char *file_name, int64_t require_line, + + fp = util_fopen(file_name, "rb"); + if (fp == NULL) { +- ERROR("open file: %s failed: %s", file_name, strerror(errno)); ++ SYSERROR("open file: %s failed.", file_name); + return -1; + } + +diff --git a/src/daemon/modules/container/container_gc/containers_gc.c b/src/daemon/modules/container/container_gc/containers_gc.c +index 9feb6d3c..8d0647ab 100644 +--- a/src/daemon/modules/container/container_gc/containers_gc.c ++++ b/src/daemon/modules/container/container_gc/containers_gc.c +@@ -83,14 +83,14 @@ static int save_gc_config(const char *json_gc_config) + + fd = util_open(filename, O_CREAT | O_TRUNC | O_CLOEXEC | O_WRONLY, CONFIG_FILE_MODE); + if (fd == -1) { +- ERROR("Create file %s failed: %s", filename, strerror(errno)); ++ SYSERROR("Create file %s failed.", filename); + ret = -1; + goto out; + } + + nret = util_write_nointr(fd, json_gc_config, strlen(json_gc_config)); + if (nret < 0 || (size_t)nret != strlen(json_gc_config)) { +- ERROR("write %s failed: %s", filename, strerror(errno)); ++ SYSERROR("write %s failed.", filename); + ret = -1; + } + close(fd); +diff --git a/src/daemon/modules/container/container_unix.c b/src/daemon/modules/container/container_unix.c +index 07d9a0e8..e8c98441 100644 +--- a/src/daemon/modules/container/container_unix.c ++++ b/src/daemon/modules/container/container_unix.c +@@ -517,7 +517,7 @@ static int save_json_config_file(const char *id, const char *rootpath, const cha + + nret = util_atomic_write_file(filename, json_data, strlen(json_data), CONFIG_FILE_MODE, false); + if (nret != 0) { +- ERROR("Write file %s failed: %s", filename, strerror(errno)); ++ SYSERROR("Write file %s failed.", filename); + isulad_set_error_message("Write file '%s' failed: %s", filename, strerror(errno)); + ret = -1; + } +diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c +index c86e3db9..9a38ffc2 100644 +--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c ++++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c +@@ -158,7 +158,7 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su + + if (util_detect_mounted(tmpdir)) { + if (umount(tmpdir) != 0) { +- ERROR("Failed to umount target %s, error: %s", tmpdir, strerror(errno)); ++ SYSERROR("Failed to umount target %s", tmpdir); + } + } + +diff --git a/src/daemon/modules/container/supervisor/supervisor.c b/src/daemon/modules/container/supervisor/supervisor.c +index 3ce4ec1e..829e48b1 100644 +--- a/src/daemon/modules/container/supervisor/supervisor.c ++++ b/src/daemon/modules/container/supervisor/supervisor.c +@@ -104,7 +104,7 @@ char *container_exit_fifo_create(const char *cont_state_path) + + ret = mknod(fifo_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0); + if (ret < 0 && errno != EEXIST) { +- ERROR("Failed to mknod exit monitor fifo %s: %s.", fifo_path, strerror(errno)); ++ SYSERROR("Failed to mknod exit monitor fifo %s.", fifo_path); + return NULL; + } + +@@ -128,7 +128,7 @@ int container_exit_fifo_open(const char *cont_exit_fifo) + + ret = util_open(cont_exit_fifo, O_RDONLY | O_NONBLOCK, 0); + if (ret < 0) { +- ERROR("Failed to open exit monitor FIFO %s: %s.", cont_exit_fifo, strerror(errno)); ++ SYSERROR("Failed to open exit monitor FIFO %s.", cont_exit_fifo); + ret = -1; + goto out; + } +@@ -324,7 +324,7 @@ restart: + if (ret == 0) { + goto restart; + } +- ERROR("Mainloop returned an error: %s", strerror(errno)); ++ SYSERROR("Mainloop returned an error"); + + epoll_loop_close(&g_supervisor_descr); + +diff --git a/src/daemon/modules/events/monitord.c b/src/daemon/modules/events/monitord.c +index 775fb9ab..9edded7a 100644 +--- a/src/daemon/modules/events/monitord.c ++++ b/src/daemon/modules/events/monitord.c +@@ -113,18 +113,18 @@ static void *monitored(void *arg) + mhandler.fifo_path = fifo_file_path; + + if (mknod(fifo_file_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0) && errno != EEXIST) { +- ERROR("Create monitored fifo file failed: %s", strerror(errno)); ++ SYSERROR("Create monitored fifo file failed"); + goto err; + } + + mhandler.fifo_fd = util_open(fifo_file_path, O_RDWR | O_NONBLOCK | O_CLOEXEC, 0); + if (mhandler.fifo_fd == -1) { +- ERROR("Open monitored fifo file failed: %s", strerror(errno)); ++ SYSERROR("Open monitored fifo file failed"); + goto err; + } + + if (fcntl(mhandler.fifo_fd, F_SETPIPE_SZ, EVENTS_FIFO_SIZE) == -1) { +- ERROR("Set events fifo buffer size failed: %s\n", strerror(errno)); ++ SYSERROR("Set events fifo buffer size failed"); + goto err; + } + +@@ -150,7 +150,7 @@ static void *monitored(void *arg) + ret = epoll_loop(&descr, -1); + } while (ret == 0); + +- ERROR("Mainloop returned an error: %s", strerror(errno)); ++ SYSERROR("Mainloop returned an error"); + goto err2; + + err: +diff --git a/src/daemon/modules/events_sender/event_sender.c b/src/daemon/modules/events_sender/event_sender.c +index a3903f3e..13f3c3e3 100644 +--- a/src/daemon/modules/events_sender/event_sender.c ++++ b/src/daemon/modules/events_sender/event_sender.c +@@ -52,7 +52,7 @@ static void isulad_monitor_fifo_send(const struct monitord_msg *msg) + goto out; + } + +- ERROR("Failed to open fifo to send message: %s.", strerror(errno)); ++ SYSERROR("Failed to open fifo to send message."); + goto out; + } + +diff --git a/src/daemon/modules/image/embedded/db/sqlite_common.c b/src/daemon/modules/image/embedded/db/sqlite_common.c +index 42fdf6d9..89f834a0 100644 +--- a/src/daemon/modules/image/embedded/db/sqlite_common.c ++++ b/src/daemon/modules/image/embedded/db/sqlite_common.c +@@ -49,7 +49,7 @@ int db_sqlite_init(const char *dbpath) + goto cleanup; + } + if (chmod(dbpath, DEFAULT_SECURE_FILE_MODE) != 0) { +- ERROR("Change mode of db file failed: %s", strerror(errno)); ++ SYSERROR("Change mode of db file failed."); + goto cleanup; + } + return 0; +diff --git a/src/daemon/modules/image/external/ext_image.c b/src/daemon/modules/image/external/ext_image.c +index d918f4ce..10af82a3 100644 +--- a/src/daemon/modules/image/external/ext_image.c ++++ b/src/daemon/modules/image/external/ext_image.c +@@ -65,7 +65,7 @@ int ext_prepare_rf(const im_prepare_request *request, char **real_rootfs) + return -1; + } + if (realpath(request->rootfs, real_path) == NULL) { +- ERROR("Failed to clean rootfs path '%s': %s", request->rootfs, strerror(errno)); ++ SYSERROR("Failed to clean rootfs path '%s'", request->rootfs); + isulad_set_error_message("Failed to clean rootfs path '%s': %s", request->rootfs, strerror(errno)); + return -1; + } +diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c +index 1275658e..1a3f4307 100644 +--- a/src/daemon/modules/image/image_rootfs_handler.c ++++ b/src/daemon/modules/image/image_rootfs_handler.c +@@ -434,7 +434,7 @@ static int read_user_file(const char *basefs, const char *user_path, FILE **stre + + *stream = util_fopen(real_path, "r"); + if (*stream == NULL) { +- WARN("Failed to open %s: %s", real_path, strerror(errno)); ++ SYSWARN("Failed to open %s.", real_path); + ret = 0; + goto out; + } +@@ -455,7 +455,7 @@ static int resolve_basefs(const char *basefs, char **resolved_basefs) + } + + if (stat(real_path, &s) < 0) { +- ERROR("stat failed, error: %s", strerror(errno)); ++ SYSERROR("stat failed."); + return -1; + } + +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index 4385e55e..d2efab81 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -1045,7 +1045,7 @@ static char *oci_load_path_create() + } + + if (mkdtemp(tmp_dir) == NULL) { +- ERROR("make temporary dir failed: %s", strerror(errno)); ++ SYSERROR("make temporary dir failed"); + isulad_try_set_error_message("make temporary dir failed: %s", strerror(errno)); + ret = -1; + goto out; +diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c +index 62d0c35e..5c660bc9 100644 +--- a/src/daemon/modules/image/oci/registry/registry.c ++++ b/src/daemon/modules/image/oci/registry/registry.c +@@ -445,7 +445,7 @@ static int add_cached_layer(char *blob_digest, char *file, thread_fetch_info *in + } + + if (link(src_file, file) != 0) { +- ERROR("link %s to %s failed: %s", src_file, file, strerror(errno)); ++ SYSERROR("link %s to %s failed", src_file, file); + ret = -1; + goto out; + } +@@ -1147,7 +1147,7 @@ static void set_cached_layers_info(char *blob_digest, char *diffid, int result, + continue; + } + if (link(src_file, elem->file) != 0) { +- ERROR("link %s to %s failed: %s", src_file, elem->file, strerror(errno)); ++ SYSERROR("link %s to %s failed", src_file, elem->file); + info->desc->cancel = true; + continue; + } +@@ -1429,8 +1429,7 @@ static void *register_layers_in_thread(void *arg) + // here we can't just break and cleanup resources because threads are running. + // desc is freed if we break and then isulad crash. sleep some time + // instead to avoid cpu full running and then retry. +- ERROR("condition wait for layer %zu to complete failed, ret %d, error: %s", i, cond_ret, +- strerror(errno)); ++ SYSERROR("condition wait for layer %zu to complete failed, ret %d", i, cond_ret); + sleep(10); + continue; + } +@@ -1615,7 +1614,7 @@ static int fetch_all(pull_descriptor *desc) + // here we can't just break and cleanup resources because threads are running. + // desc is freed if we break and then isulad crash. sleep some time + // instead to avoid cpu full running and then retry. +- ERROR("condition wait for all layers to complete failed, ret %d, error: %s", cond_ret, strerror(errno)); ++ SYSERROR("condition wait for all layers to complete failed, ret %d", cond_ret); + sleep(10); + continue; + } +@@ -1909,7 +1908,7 @@ static int prepare_pull_desc(pull_descriptor *desc, registry_pull_options *optio + } + + if (mkdtemp(blobpath) == NULL) { +- ERROR("make temporary direcory failed: %s", strerror(errno)); ++ SYSERROR("make temporary direcory failed"); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +index e2fcf37c..81e53ea7 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +@@ -780,7 +780,7 @@ static int device_file_walk(struct device_set *devset) + } + + if (stat(fname, &st) != 0) { +- ERROR("devmapper: get %s stat error:%s", fname, strerror(errno)); ++ SYSERROR("devmapper: get %s stat failed", fname); + ret = -1; + goto out; + } +@@ -2202,7 +2202,7 @@ static int grow_fs(struct device_set *devset, image_devmapper_device_info *info) + + clean_mount: + if (umount2(FS_MOUNT_POINT, MNT_DETACH) < 0 && errno != EINVAL) { +- WARN("Failed to umount directory %s:%s", FS_MOUNT_POINT, strerror(errno)); ++ SYSWARN("Failed to umount directory %s", FS_MOUNT_POINT); + } + + out: +@@ -3148,7 +3148,7 @@ int unmount_device(const char *hash, const char *mount_path, struct device_set * + } + + if (umount2(mount_path, MNT_DETACH) < 0 && errno != EINVAL) { +- ERROR("Failed to umount directory %s:%s", mount_path, strerror(errno)); ++ SYSERROR("Failed to umount directory %s", mount_path); + ret = -1; + goto free_out; + } +@@ -3405,7 +3405,7 @@ static int umount_deactivate_dev_all(const struct device_set *devset) + } + + if (stat(fname, &st) != 0) { +- ERROR("devmapper: get %s stat error:%s", fname, strerror(errno)); ++ SYSERROR("devmapper: get %s stat failed", fname); + continue; + } + +@@ -3415,7 +3415,7 @@ static int umount_deactivate_dev_all(const struct device_set *devset) + } + + if (umount2(fname, MNT_DETACH) < 0 && errno != EINVAL) { +- ERROR("Failed to umount directory %s:%s", fname, strerror(errno)); ++ SYSERROR("Failed to umount directory %s", fname); + } + + device_info = lookup_device(devset, entry->d_name); +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c +index fc22bcfd..e91ddd1e 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c +@@ -448,7 +448,7 @@ void dev_udev_wait(uint32_t cookie) + } + + if (pthread_create(&tid, NULL, udev_wait_process, uwait) != 0) { +- ERROR("devmapper: create udev wait process thread error:%s", strerror(errno)); ++ SYSERROR("devmapper: create udev wait process thread error"); + free_udev_wait_pth_t(uwait); + return; + } +@@ -1191,7 +1191,7 @@ void dev_check_sem_set_stat(int *semusz, int *semmni) + } + + if (semctl(0, 0, SEM_INFO, &sinfo) != 0) { +- WARN("Get devmapper library version err:%s", strerror(errno)); ++ SYSWARN("Get devmapper library version err"); + return; + } + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +index ae1aba9c..ddf3a62c 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +@@ -1844,7 +1844,7 @@ static int file_crc64(char *file, uint64_t *crc, uint64_t policy) + + fd = util_open(file, O_RDONLY, 0); + if (fd < 0) { +- ERROR("Open file: %s, failed: %s", file, strerror(errno)); ++ SYSERROR("Open file: %s, failed", file); + return -1; + } + +@@ -1866,7 +1866,7 @@ static int file_crc64(char *file, uint64_t *crc, uint64_t policy) + while (true) { + size = util_read_nointr(fd, buffer, BLKSIZE); + if (size < 0) { +- ERROR("read file %s failed: %s", file, strerror(errno)); ++ SYSERROR("read file %s failed", file); + ret = -1; + break; + } else if (size == 0) { +@@ -1914,7 +1914,7 @@ static int valid_crc64(storage_entry *entry, char *rootfs) + if (fname != NULL && util_has_prefix(fname, ".wh.")) { + goto out; + } +- ERROR("stat file or dir: %s, failed: %s", file, strerror(errno)); ++ SYSERROR("stat file or dir: %s, failed", file); + ret = -1; + } else { + if (strlen(entry->payload) != PAYLOAD_CRC_LEN) { +@@ -1981,7 +1981,7 @@ static tar_split *new_tar_split(layer_t *l, const char *tspath) + + ts->tmp_file = fopen(path, "w+"); + if (ts->tmp_file == NULL) { +- ERROR("create tmpfile failed: %s", strerror(errno)); ++ SYSERROR("create tmpfile failed"); + ret = -1; + goto out; + } +@@ -2019,7 +2019,7 @@ static int next_tar_split_entry(tar_split *ts, storage_entry **entry) + if (errno == 0) { + *entry = NULL; + } else { +- ERROR("error read line from tar split: %s", strerror(errno)); ++ SYSERROR("error read line from tar split"); + ret = -1; + } + goto out; +diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c +index 07c3830b..d5e79207 100644 +--- a/src/daemon/modules/image/oci/storage/storage.c ++++ b/src/daemon/modules/image/oci/storage/storage.c +@@ -1444,7 +1444,7 @@ static int do_add_checked_layer(const char *lid, int fd, map_t *checked_layers) + // save checked layer ids into file + nret = util_write_nointr(fd, buf, strlen(lid) + 1); + if (nret < 0 || (size_t)nret != strlen(lid) + 1) { +- ERROR("Write checked layer data failed: %s", strerror(errno)); ++ SYSERROR("Write checked layer data failed"); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c +index ad7fe0f4..a233c2b1 100644 +--- a/src/daemon/modules/image/oci/utils_images.c ++++ b/src/daemon/modules/image/oci/utils_images.c +@@ -560,7 +560,7 @@ static int makesure_path_is_dir(char *path) + if (errno == ENOENT) { + return util_mkdir_p(path, TEMP_DIRECTORY_MODE); + } +- ERROR("lstat %s failed: %s", path, strerror(errno)); ++ SYSERROR("lstat %s failed.", path); + return -1; + } + +@@ -620,7 +620,7 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir) + } + + if (lstat(isulad_tmpdir, &st) != 0) { +- ERROR("lstat %s failed: %s", isulad_tmpdir, strerror(errno)); ++ SYSERROR("lstat %s failed.", isulad_tmpdir); + ret = -1; + goto out; + } +@@ -631,7 +631,7 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir) + ret = 0; + goto out; + } else { +- ERROR("lchown %s failed: %s", isulad_tmpdir, strerror(errno)); ++ SYSERROR("lchown %s failed", isulad_tmpdir); + } + + out: +diff --git a/src/daemon/modules/log/log_gather.c b/src/daemon/modules/log/log_gather.c +index 9b400f00..773526a8 100644 +--- a/src/daemon/modules/log/log_gather.c ++++ b/src/daemon/modules/log/log_gather.c +@@ -66,7 +66,7 @@ static int file_rotate_gz(const char *file_name, int i) + } + + if (rename(from_path, to_path) < 0 && errno != ENOENT) { +- WARN("Rename file: %s error: %s", from_path, strerror(errno)); ++ SYSWARN("Rename file: %s failed", from_path); + return -1; + } + +@@ -85,7 +85,7 @@ static int file_rotate_me(const char *file_name) + } + + if (rename(file_name, tmp_path) < 0 && errno != ENOENT) { +- WARN("Rename file: %s error: %s", file_name, strerror(errno)); ++ SYSWARN("Rename file: %s failed", file_name); + return -1; + } + +@@ -142,7 +142,7 @@ static int create_fifo() + + ret = mknod(g_fifo_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0); + if (ret != 0 && errno != EEXIST) { +- COMMAND_ERROR("mknod failed: %s", strerror(errno)); ++ CMD_SYSERROR("mknod failed"); + } else { + ret = 0; + } +@@ -157,12 +157,12 @@ static int open_log(bool change_size) + + fd = util_open(g_fifo_path, O_RDWR | O_CLOEXEC, 0); + if (fd == -1) { +- COMMAND_ERROR("open fifo %s failed: %s", g_fifo_path, strerror(errno)); ++ CMD_SYSERROR("open fifo %s failed", g_fifo_path); + return fd; + } + + if (change_size && fcntl(fd, F_SETPIPE_SZ, LOG_FIFO_SIZE) == -1) { +- COMMAND_ERROR("set fifo buffer size failed: %s", strerror(errno)); ++ CMD_SYSERROR("set fifo buffer size failed"); + close(fd); + return -1; + } +@@ -262,7 +262,7 @@ void main_loop() + int len = (int)util_read_nointr(g_fifo_fd, rev_buf, REV_BUF_SIZE); + if (len < 0) { + if (ecount < 2) { +- COMMAND_ERROR("%d: Read message failed: %s", ecount++, strerror(errno)); ++ CMD_SYSERROR("%d: Read message failed", ecount++); + } + continue; + } +@@ -270,7 +270,7 @@ void main_loop() + + rev_buf[len] = '\0'; + if (g_save_log_op(rev_buf, (size_t)len) < 0) { +- COMMAND_ERROR("write message failed: %s", strerror(errno)); ++ CMD_SYSERROR("write message failed"); + } + } + } +@@ -289,14 +289,14 @@ static int log_file_open() + } + fd = util_open(g_log_file, O_CREAT | O_WRONLY | O_APPEND, g_log_mode); + if (fd == -1) { +- COMMAND_ERROR("Open %s failed: %s", g_log_file, strerror(errno)); ++ CMD_SYSERROR("Open %s failed", g_log_file); + ret = -1; + goto out; + } + + /* change log file mode to config, if log file exist and with different mode */ + if (fchmod(fd, g_log_mode) != 0) { +- COMMAND_ERROR("Change mode of log file: %s failed: %s", g_log_file, strerror(errno)); ++ CMD_SYSERROR("Change mode of log file: %s failed", g_log_file); + close(fd); + ret = -1; + goto out; +diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_conf.c b/src/daemon/modules/network/cni_operator/libcni/libcni_conf.c +index 7489f8f3..cad92ce8 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/libcni_conf.c ++++ b/src/daemon/modules/network/cni_operator/libcni/libcni_conf.c +@@ -90,7 +90,7 @@ static char *do_get_cni_net_confs_json(const char *filename) + + content = util_read_text_file(filename); + if (content == NULL) { +- ERROR("Read file %s failed: %s", filename, strerror(errno)); ++ SYSERROR("Read file %s failed", filename); + } + + return content; +diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c +index 2b9cf39c..e985cfc1 100644 +--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c ++++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c +@@ -88,7 +88,7 @@ static int parse_container_pid(const char *S, pid_ppid_info_t *pid_info) + + num = sscanf(S, "%d %Lu %d %Lu", &pid_info->pid, &pid_info->start_time, &pid_info->ppid, &pid_info->pstart_time); + if (num != 4) { // args num to read is 4 +- ERROR("Call sscanf error: %s", errno ? strerror(errno) : ""); ++ SYSERROR("Call sscanf failed."); + return -1; + } + +@@ -210,7 +210,7 @@ static int remove_container_rootpath(const char *id, const char *root_path) + ret = util_recursive_rmdir(cont_root_path, 0); + if (ret != 0) { + const char *tmp_err = (errno != 0) ? strerror(errno) : "error"; +- ERROR("Failed to delete container's root directory %s: %s", cont_root_path, tmp_err); ++ SYSERROR("Failed to delete container's root directory %s.", cont_root_path); + isulad_set_error_message("Failed to delete container's root directory %s: %s", cont_root_path, tmp_err); + ret = -1; + goto out; +@@ -750,7 +750,7 @@ int rt_lcr_kill(const char *id, const char *runtime, const rt_kill_params_t *par + } else { + int ret = kill(params->pid, (int)params->signal); + if (ret < 0) { +- ERROR("Can not kill process (pid=%d) with signal %u: %s", params->pid, params->signal, strerror(errno)); ++ SYSERROR("Can not kill process (pid=%d) with signal %u.", params->pid, params->signal); + return -1; + } + } +diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c +index 5a62cc37..786071a7 100644 +--- a/src/daemon/modules/runtime/isula/isula_rt_ops.c ++++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c +@@ -390,7 +390,7 @@ static bool shim_alive(const char *workdir) + + ret = kill(pid, 0); + if (ret != 0) { +- INFO("kill 0 shim-pid with error: %s", strerror(errno)); ++ SYSINFO("kill 0 shim-pid with error."); + } + return ret == 0; + } +@@ -780,7 +780,7 @@ static int shim_create(bool fg, const char *id, const char *workdir, const char + + pid = fork(); + if (pid < 0) { +- ERROR("Failed fork for shim parent %s", strerror(errno)); ++ SYSERROR("Failed fork for shim parent"); + close(shim_stderr_pipe[0]); + close(shim_stderr_pipe[1]); + close(shim_stdout_pipe[0]); +@@ -856,7 +856,7 @@ realexec: + + status = util_wait_for_pid_status(pid); + if (status < 0) { +- ERROR("Failed wait shim-parent %d exit %s", pid, strerror(errno)); ++ SYSERROR("Failed wait shim-parent %d exit", pid); + ret = -1; + goto out; + } +@@ -1699,7 +1699,7 @@ int rt_isula_exec_resize(const char *id, const char *runtime, const rt_exec_resi + } + + if (kill(pid, SIGWINCH) < 0) { +- ERROR("can't kill process (pid=%d) with signal %u: %s", pid, SIGWINCH, strerror(errno)); ++ SYSERROR("can't kill process (pid=%d) with signal %u", pid, SIGWINCH); + ret = -1; + goto out; + } +@@ -1727,7 +1727,7 @@ int rt_isula_kill(const char *id, const char *runtime, const rt_kill_params_t *p + } else { + int ret = kill(params->pid, (int)params->signal); + if (ret < 0) { +- ERROR("Can not kill process (pid=%d) with signal %u: %s", params->pid, params->signal, strerror(errno)); ++ SYSERROR("Can not kill process (pid=%d) with signal %u", params->pid, params->signal); + return -1; + } + } +diff --git a/src/daemon/modules/runtime/shim/shim_rt_monitor.cc b/src/daemon/modules/runtime/shim/shim_rt_monitor.cc +index 3b6274ea..f5178c26 100644 +--- a/src/daemon/modules/runtime/shim/shim_rt_monitor.cc ++++ b/src/daemon/modules/runtime/shim/shim_rt_monitor.cc +@@ -114,7 +114,7 @@ private: + + exit_fifo_fd = util_open(exit_fifo.c_str(), O_WRONLY | O_NONBLOCK, 0); + if (exit_fifo_fd < 0) { +- ERROR("Failed to open exit FIFO %s: %s.", exit_fifo.c_str(), strerror(errno)); ++ SYSERROR("Failed to open exit FIFO %s.", exit_fifo.c_str()); + return -1; + } + +diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c +index 73d5de1c..d348dfe1 100644 +--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c ++++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c +@@ -210,7 +210,7 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w + + pid = fork(); + if (pid < 0) { +- ERROR("Failed to fork for shim parent %s", strerror(errno)); ++ SYSERROR("Failed to fork for shim parent"); + ret = -1; + goto out; + } +@@ -264,7 +264,7 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w + + status = util_wait_for_pid_status(pid); + if (status < 0) { +- ERROR("failed to wait shim-parent %d exit %s", pid, strerror(errno)); ++ SYSERROR("failed to wait shim-parent %d exit", pid); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/service/io_handler.c b/src/daemon/modules/service/io_handler.c +index 0cb9fda9..474fa650 100644 +--- a/src/daemon/modules/service/io_handler.c ++++ b/src/daemon/modules/service/io_handler.c +@@ -330,7 +330,7 @@ static ssize_t write_to_fifo(void *context, const void *data, size_t len) + fd = *(int *)context; + ret = util_write_nointr_in_total(fd, data, len); + if ((ret <= 0) || (ret != (ssize_t)len)) { +- ERROR("Failed to write %d: %s", fd, strerror(errno)); ++ SYSERROR("Failed to write %d", fd); + return -1; + } + return ret; +@@ -341,7 +341,7 @@ static ssize_t write_to_fd(void *context, const void *data, size_t len) + ssize_t ret; + ret = util_write_nointr(*(int *)context, data, len); + if (ret < 0 || (size_t)ret != len) { +- ERROR("Failed to write: %s", strerror(errno)); ++ SYSERROR("Failed to write"); + return -1; + } + return ret; +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index c4ee0223..483670de 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -575,7 +575,7 @@ static int umount_dev_tmpfs_for_system_container(const container_t *cont) + return -1; + } + if (umount(rootfs_dev_path) < 0 && errno != ENOENT) { +- WARN("Failed to umount dev tmpfs: %s, error: %s", rootfs_dev_path, strerror(errno)); ++ SYSWARN("Failed to umount dev tmpfs: %s", rootfs_dev_path); + } + } + return 0; +@@ -595,7 +595,7 @@ static int valid_mount_point(container_config_v2_common_config_mount_points_elem + } + + if (lstat(mp->source, &st) != 0) { +- ERROR("lstat %s: %s", mp->source, strerror(errno)); ++ SYSERROR("lstat %s failed", mp->source); + isulad_set_error_message("lstat %s: %s", mp->source, strerror(errno)); + return -1; + } +@@ -679,8 +679,7 @@ static void wait_exit_fifo(const char *id, const int exit_fifo_fd) + descr.timeout_cbdata = container_id; + nret = epoll_loop(&descr, WAIT_TIMEOUT); + if (nret != 0) { +- ERROR("Wait container %s 's monitor on fd %d error: %s", id, exit_fifo_fd, +- errno ? strerror(errno) : ""); ++ SYSERROR("Wait container %s 's monitor on fd %d failed", id, exit_fifo_fd); + goto out; + } + +@@ -1266,7 +1265,7 @@ static int do_delete_container(container_t *cont) + } + ret = util_recursive_rmdir(container_state, 0); + if (ret != 0) { +- ERROR("Failed to delete container's state directory %s: %s", container_state, strerror(errno)); ++ SYSERROR("Failed to delete container's state directory %s", container_state); + ret = -1; + goto out; + } +@@ -1399,7 +1398,7 @@ static int send_signal_to_process(pid_t pid, unsigned long long start_time, uint + } else { + int ret = kill(pid, (int)signal); + if (ret < 0) { +- ERROR("Can not kill process (pid=%d) with signal %u: %s", pid, signal, strerror(errno)); ++ SYSERROR("Can not kill process (pid=%d) with signal %u", pid, signal); + return -1; + } + } +@@ -2157,7 +2156,7 @@ static void exec_container_end(container_exec_response *response, const containe + } + if (sync_fd >= 0 && cc != ISULAD_SUCCESS) { + if (eventfd_write(sync_fd, 1) < 0) { +- ERROR("Failed to write eventfd: %s", strerror(errno)); ++ SYSERROR("Failed to write eventfd"); + } + } + if (thread_id > 0) { +diff --git a/src/daemon/modules/service/service_network.c b/src/daemon/modules/service/service_network.c +index c617852f..5502bcbd 100644 +--- a/src/daemon/modules/service/service_network.c ++++ b/src/daemon/modules/service/service_network.c +@@ -961,7 +961,7 @@ static int do_update_internal_file(const char *id, const char *file_path, + WARN("failed to write file %s in readonly file system", file_path); + ret = 0; + } else { +- ERROR("Failed to write file %s: %s", file_path, strerror(errno)); ++ SYSERROR("Failed to write file %s", file_path); + isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); + ret = -1; + } +@@ -1179,7 +1179,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de + WARN("failed to open file %s in readonly file system", file_path); + goto out; + } else { +- ERROR("Failed to open %s: %s", file_path, strerror(errno)); ++ SYSERROR("Failed to open %s", file_path); + isulad_set_error_message("Failed to open %s: %s", file_path, strerror(errno)); + ret = -1; + goto out; +@@ -1212,7 +1212,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de + + ret = util_write_file(file_path, str, strlen(str), NETWORK_MOUNT_FILE_MODE); + if (ret != 0) { +- ERROR("Failed to write file %s: %s", file_path, strerror(errno)); ++ SYSERROR("Failed to write file %s", file_path); + isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); + goto out; + } +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index d5bb68f4..3454a8c6 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -2405,7 +2405,7 @@ int save_oci_config(const char *id, const char *rootpath, const oci_runtime_spec + + if (util_atomic_write_file(file_path, json_container, strlen(json_container), DEFAULT_SECURE_FILE_MODE, false) != + 0) { +- ERROR("write json container failed: %s", strerror(errno)); ++ SYSERROR("write json container failed"); + ret = -1; + goto out_free; + } +diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c +index dc1ca1f1..ade22a02 100644 +--- a/src/daemon/modules/spec/specs_mount.c ++++ b/src/daemon/modules/spec/specs_mount.c +@@ -1430,7 +1430,7 @@ static int copy_data_to_volume(char *base_fs, defs_mount *mnt) + if (errno == ENOENT) { + goto out; + } +- ERROR("stat for copy data to volume failed: %s", strerror(errno)); ++ SYSERROR("stat for copy data to volume failed"); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c +index e384b8cc..6180b887 100644 +--- a/src/daemon/modules/spec/verify.c ++++ b/src/daemon/modules/spec/verify.c +@@ -248,7 +248,7 @@ static bool check_kernel_version_ge4() + + ret = uname(&uts); + if (ret < 0) { +- WARN("Can not get kernel version: %s", strerror(errno)); ++ SYSWARN("Can not get kernel version"); + } else { + /* greater or equal than 4.0.0, check first part is enough */ + return atoi(uts.release) >= 4; +@@ -1332,7 +1332,7 @@ static int get_source_mount(const char *src, char **srcpath, char **optional) + char *dname = NULL; + + if (realpath(src, real_path) == NULL) { +- ERROR("Failed to get real path for %s : %s", src, strerror(errno)); ++ SYSERROR("Failed to get real path for %s", src); + return -1; + } + +@@ -1535,7 +1535,7 @@ static int verify_custom_mount(defs_mount **mounts, size_t len) + #else + if (!util_file_exists(iter->source) && util_mkdir_p(iter->source, mode)) { + #endif +- ERROR("Failed to create directory '%s': %s", iter->source, strerror(errno)); ++ SYSERROR("Failed to create directory '%s'", iter->source); + isulad_try_set_error_message("Failed to create directory '%s': %s", iter->source, strerror(errno)); + ret = -1; + goto out; +diff --git a/src/daemon/modules/volume/local.c b/src/daemon/modules/volume/local.c +index 994ed96a..7f95757d 100644 +--- a/src/daemon/modules/volume/local.c ++++ b/src/daemon/modules/volume/local.c +@@ -165,7 +165,7 @@ static int init_volume_root_dir(struct volumes_info *vols_info, const char *root + + ret = util_mkdir_p(root_dir, LOCAL_VOLUME_ROOT_DIR_MODE); + if (ret != 0) { +- ERROR("create volume directory %s failed: %s", root_dir, strerror(errno)); ++ SYSERROR("create volume directory %s failed", root_dir); + goto out; + } + +@@ -229,7 +229,7 @@ static char *build_and_valid_data_dir(const char *root_dir, const char *name) + } + + if (lstat(tmp_dir, &st) != 0) { +- ERROR("lstat %s: %s", tmp_dir, strerror(errno)); ++ SYSERROR("lstat %s failed", tmp_dir); + ret = -1; + goto out; + } +@@ -388,7 +388,7 @@ static struct volume *volume_create_nolock(char *name) + + ret = util_mkdir_p(v->path, LOCAL_VOLUME_DIR_MODE); + if (ret != 0) { +- ERROR("failed to create %s for volume %s: %s", v->path, v->name, strerror(errno)); ++ SYSERROR("failed to create %s for volume %s", v->path, v->name); + goto out; + } + +@@ -556,14 +556,14 @@ static int remove_volume_dir(char *path) + // remain untouched if we remove the data directory failed. + ret = util_recursive_rmdir(path, 0); + if (ret != 0) { +- ERROR("failed to remove volume data dir %s: %s", path, strerror(errno)); ++ SYSERROR("failed to remove volume data dir %s", path); + isulad_try_set_error_message("failed to remove volume data dir %s: %s", path, strerror(errno)); + goto out; + } + + ret = util_recursive_rmdir(vol_dir, 0); + if (ret != 0) { +- ERROR("failed to remove volume dir %s: %s", vol_dir, strerror(errno)); ++ SYSERROR("failed to remove volume dir %s", vol_dir); + isulad_try_set_error_message("failed to remove volume dir %s: %s", vol_dir, strerror(errno)); + goto out; + } +@@ -586,7 +586,7 @@ static int volume_remove_nolock(char *name) + } + + if (remove_volume_dir(v->path) != 0) { +- ERROR("failed to remove volume dir %s: %s", v->path, strerror(errno)); ++ SYSERROR("failed to remove volume dir %s", v->path); + return -1; + } + +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index 94c2684a..d3fc7eea 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -833,7 +833,7 @@ auto Sandbox::SaveNetworkSetting(Errors &error) -> bool + nret = util_atomic_write_file(path.c_str(), m_networkSettings.c_str(), m_networkSettings.length(), CONFIG_FILE_MODE, + false); + if (nret != 0) { +- ERROR("Failed to write file %s: %s", path.c_str(), strerror(errno)); ++ SYSERROR("Failed to write file %s", path.c_str()); + error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno)); + return false; + } +diff --git a/src/utils/console/console.c b/src/utils/console/console.c +index a160d685..568832e8 100644 +--- a/src/utils/console/console.c ++++ b/src/utils/console/console.c +@@ -36,7 +36,7 @@ static ssize_t fd_write_function(void *context, const void *data, size_t len) + + ret = util_write_nointr_in_total(*(int *)context, data, len); + if ((ret <= 0) || (ret != (ssize_t)len)) { +- ERROR("Failed to write: %s", strerror(errno)); ++ SYSERROR("Failed to write"); + return -1; + } + return ret; +@@ -100,7 +100,7 @@ static int console_writer_write_data(const struct io_write_wrapper *writer, cons + } + ret = writer->write_func(writer->context, buf, (size_t)len); + if (ret <= 0 || ret != len) { +- ERROR("Failed to write, type: %d, expect: %zd, wrote: %zd, error: %s!", writer->io_type, len, ret, strerror(errno)); ++ SYSERROR("Failed to write, type: %d, expect: %zd, wrote: %zd!", writer->io_type, len, ret); + return -1; + } + return 0; +@@ -187,7 +187,7 @@ int console_fifo_name(const char *rundir, const char *subpath, const char *stdfl + if (do_mkdirp) { + ret = util_mkdir_p(fifo_path, CONSOLE_FIFO_DIRECTORY_MODE); + if (ret < 0) { +- COMMAND_ERROR("Unable to create console fifo directory %s: %s.", fifo_path, strerror(errno)); ++ CMD_SYSERROR("Unable to create console fifo directory %s.", fifo_path); + goto out; + } + } +@@ -215,7 +215,7 @@ int console_fifo_create(const char *fifo_path) + + ret = mknod(fifo_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0); + if (ret < 0 && errno != EEXIST) { +- ERROR("Failed to mknod monitor fifo %s: %s.", fifo_path, strerror(errno)); ++ SYSERROR("Failed to mknod monitor fifo %s.", fifo_path); + return -1; + } + +@@ -265,7 +265,7 @@ int console_fifo_open(const char *fifo_path, int *fdout, int flags) + + fd = util_open(fifo_path, flags, (mode_t)0); + if (fd < 0) { +- ERROR("Failed to open fifo %s to send message: %s.", fifo_path, strerror(errno)); ++ SYSERROR("Failed to open fifo %s to send message.", fifo_path); + return -1; + } + +@@ -281,7 +281,7 @@ int console_fifo_open_withlock(const char *fifo_path, int *fdout, int flags) + + fd = util_open(fifo_path, flags, 0); + if (fd < 0) { +- WARN("Failed to open fifo %s to send message: %s.", fifo_path, strerror(errno)); ++ SYSWARN("Failed to open fifo %s to send message.", fifo_path); + return -1; + } + +@@ -411,12 +411,12 @@ int console_loop_with_std_fd(int stdinfd, int stdoutfd, int stderrfd, int fifoin + if (tty) { + ret = epoll_loop_add_handler(&descr, ts.stdin_reader, console_cb_tty_stdin_with_escape, &ts); + if (ret) { +- INFO("Add handler for stdinfd faied. with error %s", strerror(errno)); ++ SYSINFO("Add handler for stdinfd faied."); + } + } else { + ret = epoll_loop_add_handler(&descr, ts.stdin_reader, console_cb_stdio_copy, &ts); + if (ret) { +- INFO("Add handler for stdinfd faied. with error %s", strerror(errno)); ++ SYSINFO("Add handler for stdinfd faied."); + } + } + } +diff --git a/src/utils/cutils/network_namespace.c b/src/utils/cutils/network_namespace.c +index 212f0bd7..0e225d9b 100644 +--- a/src/utils/cutils/network_namespace.c ++++ b/src/utils/cutils/network_namespace.c +@@ -175,7 +175,7 @@ int remove_network_namespace(const char *netns_path) + } + + if (umount_network_namespace(netns_path) != 0) { +- ERROR("Failed to umount directory %s:%s", netns_path, strerror(errno)); ++ SYSERROR("Failed to umount directory %s", netns_path); + return -1; + } + +diff --git a/src/utils/cutils/path.c b/src/utils/cutils/path.c +index d586e981..51d73445 100644 +--- a/src/utils/cutils/path.c ++++ b/src/utils/cutils/path.c +@@ -698,7 +698,7 @@ static char *find_realpath(const char *path) + + ret = (int)readlink(iter_path, target, PATH_MAX - 1); + if (ret < 0) { +- ERROR("Failed to read link of %s: %s", iter_path, strerror(errno)); ++ SYSERROR("Failed to read link of %s.", iter_path); + goto out; + } + // is not absolutely path +@@ -745,7 +745,7 @@ int util_realpath_in_scope(const char *rootfs, const char *path, char **real_pat + + int nret = snprintf(full_path, sizeof(full_path), "%s%s", rootfs, path); + if (nret < 0 || (size_t)nret >= sizeof(full_path)) { +- ERROR("sprintf error: %s", strerror(errno)); ++ SYSERROR("sprintf failed"); + ret = -1; + goto out; + } +diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c +index ecd530bc..d946694c 100644 +--- a/src/utils/cutils/utils.c ++++ b/src/utils/cutils/utils.c +@@ -480,7 +480,7 @@ proc_t *util_stat2proc(const char *s, size_t len) + num = sscanf(s, "%d (%15c", &p->pid, p->cmd); + #endif + if (num != 2) { +- ERROR("Call sscanf error: %s", errno ? strerror(errno) : ""); ++ SYSERROR("Call sscanf error"); + free(p); + return NULL; + } +@@ -495,7 +495,7 @@ proc_t *util_stat2proc(const char *s, size_t len) + &p->maj_flt, &p->cmaj_flt, &p->utime, &p->stime, &p->cutime, &p->cstime, &p->priority, &p->nice, + &p->timeout, &p->it_real_value, &p->start_time); + if (num != 20) { // max arg to read +- ERROR("Call sscanf error: %s", errno ? strerror(errno) : ""); ++ SYSERROR("Call sscanf error"); + free(p); + return NULL; + } +@@ -1159,7 +1159,7 @@ static int set_echo_back(bool echo_back) + struct termios old, new; + + if (tcgetattr(STDIN_FILENO, &old)) { +- ERROR("get tc attribute failed: %s\n", strerror(errno)); ++ SYSERROR("get tc attribute failed"); + return -1; + } + +@@ -1172,7 +1172,7 @@ static int set_echo_back(bool echo_back) + } + + if (tcsetattr(STDIN_FILENO, TCSANOW, &new)) { +- ERROR("set tc attribute failed: %s\n", strerror(errno)); ++ SYSERROR("set tc attribute failed"); + return -1; + } + +@@ -1498,7 +1498,7 @@ int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_v + } + + if (uname(&uts) < 0) { +- ERROR("Failed to read host arch and os: %s", strerror(errno)); ++ SYSERROR("Failed to read host arch and os"); + return -1; + } + +@@ -1655,7 +1655,7 @@ int util_create_shm_path(const char *spath, const int64_t shm_size) + + nret = mount("shm", spath, "tmpfs", MS_NOEXEC | MS_NODEV | MS_NOSUID, shmproperty); + if (nret < 0) { +- ERROR("Mount %s failed: %s", spath, strerror(errno)); ++ SYSERROR("Mount %s failed", spath); + return -1; + } + +diff --git a/src/utils/cutils/utils_aes.c b/src/utils/cutils/utils_aes.c +index 055a9538..2eecf2d6 100644 +--- a/src/utils/cutils/utils_aes.c ++++ b/src/utils/cutils/utils_aes.c +@@ -72,13 +72,13 @@ int util_aes_key(const char *key_file, bool create, unsigned char *aeskey) + } else { + fd = open(key_file, O_RDONLY); + if (fd < 0) { +- ERROR("open key file %s failed: %s", key_file, strerror(errno)); ++ SYSERROR("open key file %s failed", key_file); + ret = -1; + goto out; + } + + if (util_read_nointr(fd, aeskey, AES_256_CFB_KEY_LEN) != AES_256_CFB_KEY_LEN) { +- ERROR("read key file %s failed: %s", key_file, strerror(errno)); ++ SYSERROR("read key file %s failed", key_file); + ret = -1; + goto out; + } +@@ -163,14 +163,14 @@ int util_aes_encode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns + evp_ret = EVP_EncryptInit(ctx, cipher, aeskey, iv); + #endif + if (evp_ret != 1) { +- ERROR("init evp decrypt failed, result %d: %s", evp_ret, strerror(errno)); ++ SYSERROR("init evp decrypt failed, result %d", evp_ret); + ret = -1; + goto out; + } + + evp_ret = EVP_EncryptUpdate(ctx, (*out) + AES_256_CFB_IV_LEN, &tmp_out_len, bytes, len); + if (evp_ret != 1) { +- ERROR("evp encrypt update failed, result %d: %s", evp_ret, strerror(errno)); ++ SYSERROR("evp encrypt update failed, result %d", evp_ret); + ret = -1; + goto out; + } +@@ -182,7 +182,7 @@ int util_aes_encode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns + evp_ret = EVP_EncryptFinal(ctx, (*out) + AES_256_CFB_IV_LEN + tmp_out_len, &tmp_out_len); + #endif + if (evp_ret != 1) { +- ERROR("evp encrypt final failed, result %d: %s", evp_ret, strerror(errno)); ++ SYSERROR("evp encrypt final failed, result %d", evp_ret); + ret = -1; + goto out; + } +@@ -256,7 +256,7 @@ int util_aes_decode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns + evp_ret = EVP_DecryptInit(ctx, cipher, aeskey, iv); + #endif + if (evp_ret != 1) { +- ERROR("init evp decrypt failed, result %d: %s", evp_ret, strerror(errno)); ++ SYSERROR("init evp decrypt failed, result %d", evp_ret); + ret = -1; + goto out; + } +@@ -264,7 +264,7 @@ int util_aes_decode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns + expected_size = len - AES_256_CFB_IV_LEN; + evp_ret = EVP_DecryptUpdate(ctx, *out, &tmp_out_len, bytes + AES_256_CFB_IV_LEN, expected_size); + if (evp_ret != 1) { +- ERROR("evp decrypt update failed, result %d: %s", evp_ret, strerror(errno)); ++ SYSERROR("evp decrypt update failed, result %d", evp_ret); + ret = -1; + goto out; + } +@@ -276,7 +276,7 @@ int util_aes_decode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns + evp_ret = EVP_DecryptFinal(ctx, (*out) + tmp_out_len, &tmp_out_len); + #endif + if (evp_ret != 1) { +- ERROR("evp decrypt final failed, result %d: %s", evp_ret, strerror(errno)); ++ SYSERROR("evp decrypt final failed, result %d", evp_ret); + ret = -1; + goto out; + } +diff --git a/src/utils/cutils/utils_base64.c b/src/utils/cutils/utils_base64.c +index 3871140e..78e5ae0d 100644 +--- a/src/utils/cutils/utils_base64.c ++++ b/src/utils/cutils/utils_base64.c +@@ -47,7 +47,7 @@ int util_base64_encode(unsigned char *bytes, size_t len, char **out) + } + + if (EVP_EncodeBlock((uint8_t *)(*out), (const uint8_t *)bytes, len) == 0) { +- ERROR("Encode base64 failed: %s", strerror(errno)); ++ SYSERROR("Encode base64 failed"); + free(encoded); + return -1; + } +@@ -78,7 +78,7 @@ int util_base64_decode(const char *input, size_t len, unsigned char **out, size_ + } + + if (EVP_DecodeBase64((uint8_t *)decoded, &decoded_size, decoded_size, (const uint8_t *)input, len) == 0) { +- ERROR("Decode base64 failed: %s", strerror(errno)); ++ SYSERROR("Decode base64 failed"); + free(decoded); + return -1; + } +diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c +index 8480dd94..bc22ee95 100644 +--- a/src/utils/cutils/utils_file.c ++++ b/src/utils/cutils/utils_file.c +@@ -231,7 +231,7 @@ int util_mkdir_p_userns_remap(const char *dir, mode_t mode, const char *userns_r + if (*cur_dir) { + ret = mkdir(cur_dir, mode); + if (ret != 0 && (errno != EEXIST || !util_dir_exists(cur_dir))) { +- ERROR("failed to create directory '%s': %s", cur_dir, strerror(errno)); ++ SYSERROR("failed to create directory '%s'", cur_dir); + goto err_out; + } + if (ret == 0 && userns_remap != NULL && chown(cur_dir, host_uid, host_gid) != 0) { +@@ -318,14 +318,14 @@ bool util_force_remove_file(const char *fname, int *saved_errno) + if (saved_errno != NULL && *saved_errno == 0) { + *saved_errno = errno; + } +- WARN("Failed to delete %s: %s", fname, strerror(errno)); ++ SYSWARN("Failed to delete %s", fname); + + if (mark_file_mutable(fname) != 0) { + WARN("Failed to mark file mutable"); + } + + if (unlink(fname) != 0) { +- ERROR("Failed to delete \"%s\": %s", fname, strerror(errno)); ++ SYSERROR("Failed to delete \"%s\"", fname); + return false; + } + +@@ -711,7 +711,7 @@ int util_gzip_compressed(const char *filename, bool *gzip) + + f = fopen(filename, "rb"); + if (f == NULL) { +- ERROR("Failed to open file %s: %s", filename, strerror(errno)); ++ SYSERROR("Failed to open file %s", filename); + return -1; + } + +@@ -887,7 +887,7 @@ char *util_read_text_file(const char *path) + + readlen = fread(buf, 1, (size_t)len, filp); + if (((readlen < (size_t)len) && (!feof(filp))) || (readlen > (size_t)len)) { +- ERROR("Failed to read file %s, error: %s\n", path, strerror(errno)); ++ SYSERROR("Failed to read file %s.", path); + UTIL_FREE_AND_SET_NULL(buf); + goto err_out; + } +@@ -913,7 +913,7 @@ int64_t util_file_size(const char *filename) + } + + if (stat(filename, &st)) { +- WARN("stat file %s failed: %s", filename, strerror(errno)); ++ SYSWARN("stat file %s failed", filename); + return -1; + } + +@@ -932,7 +932,7 @@ int util_scan_subdirs(const char *directory, subdir_callback_t cb, void *context + + dir = opendir(directory); + if (dir == NULL) { +- ERROR("Failed to open directory: %s error:%s", directory, strerror(errno)); ++ SYSERROR("Failed to open directory: %s", directory); + return -1; + } + +@@ -967,7 +967,7 @@ int util_list_all_subdir(const char *directory, char ***out) + + dir = opendir(directory); + if (dir == NULL) { +- ERROR("Failed to open directory: %s error:%s", directory, strerror(errno)); ++ SYSERROR("Failed to open directory: %s", directory); + return -1; + } + direntp = readdir(dir); +@@ -1115,14 +1115,14 @@ int util_write_file(const char *fname, const char *content, size_t content_len, + } + dst_fd = util_open(fname, O_WRONLY | O_CREAT | O_TRUNC, mode); + if (dst_fd < 0) { +- ERROR("Creat file: %s, failed: %s", fname, strerror(errno)); ++ SYSERROR("Creat file: %s, failed", fname); + ret = -1; + goto free_out; + } + len = util_write_nointr(dst_fd, content, content_len); + if (len < 0 || ((size_t)len) != content_len) { + ret = -1; +- ERROR("Write file failed: %s", strerror(errno)); ++ SYSERROR("Write file failed"); + goto free_out; + } + free_out: +@@ -1141,7 +1141,7 @@ char *verify_file_and_get_real_path(const char *file) + return NULL; + } + if (realpath(file, resolved_path) == NULL) { +- ERROR("Failed to get realpath: %s , %s", resolved_path, strerror(errno)); ++ SYSERROR("Failed to get realpath: %s.", resolved_path); + return NULL; + } + +@@ -1171,33 +1171,33 @@ int util_copy_file(const char *src_file, const char *dst_file, mode_t mode) + } + nret = realpath(src_file, real_src_file); + if (nret == NULL) { +- ERROR("real path: %s, return: %s", src_file, strerror(errno)); ++ SYSERROR("real path: %s failed.", src_file); + ret = -1; + return ret; + } + src_fd = util_open(real_src_file, O_RDONLY, CONFIG_FILE_MODE); + if (src_fd < 0) { +- ERROR("Open src file: %s, failed: %s", real_src_file, strerror(errno)); ++ SYSERROR("Open src file: %s, failed", real_src_file); + ret = -1; + goto free_out; + } + dst_fd = util_open(dst_file, O_WRONLY | O_CREAT | O_TRUNC, mode); + if (dst_fd < 0) { +- ERROR("Creat file: %s, failed: %s", dst_file, strerror(errno)); ++ SYSERROR("Creat file: %s, failed", dst_file); + ret = -1; + goto free_out; + } + while (true) { + ssize_t len = util_read_nointr(src_fd, buf, BUFSIZE); + if (len < 0) { +- ERROR("Read src file failed: %s", strerror(errno)); ++ SYSERROR("Read src file failed"); + ret = -1; + goto free_out; + } else if (len == 0) { + break; + } + if (util_write_nointr(dst_fd, buf, (size_t)len) != len) { +- ERROR("Write file failed: %s", strerror(errno)); ++ SYSERROR("Write file failed"); + ret = -1; + goto free_out; + } +@@ -1489,7 +1489,7 @@ static int do_atomic_write_file(const char *fname, const char *content, size_t c + + dst_fd = util_open(fname, O_WRONLY | O_CREAT | O_TRUNC, mode); + if (dst_fd < 0) { +- ERROR("Creat file: %s, failed: %s", fname, strerror(errno)); ++ SYSERROR("Creat file: %s, failed", fname); + ret = -1; + goto free_out; + } +@@ -1497,7 +1497,7 @@ static int do_atomic_write_file(const char *fname, const char *content, size_t c + len = util_write_nointr(dst_fd, content, content_len); + if (len < 0 || ((size_t)len) != content_len) { + ret = -1; +- ERROR("Write file failed: %s", strerror(errno)); ++ SYSERROR("Write file failed"); + goto free_out; + } + +@@ -1673,7 +1673,7 @@ int util_proc_file_line_by_line(FILE *fp, read_line_callback_t cb, void *context + // end of file + if (errno != 0) { + ret = -1; +- ERROR("read line failed: %s", strerror(errno)); ++ SYSERROR("read line failed"); + } + goto out; + } +@@ -1761,7 +1761,7 @@ static int copy_own(char *copy_dst, struct stat *src_stat) + struct stat dst_stat = { 0 }; + + if (lstat(copy_dst, &dst_stat) != 0) { +- ERROR("lstat %s failed: %s", copy_dst, strerror(errno)); ++ SYSERROR("lstat %s failed", copy_dst); + return -1; + } + +@@ -1770,7 +1770,7 @@ static int copy_own(char *copy_dst, struct stat *src_stat) + return 0; + } + +- ERROR("lchown %s failed: %s", copy_dst, strerror(errno)); ++ SYSERROR("lchown %s failed", copy_dst); + + return ret; + } +@@ -1782,7 +1782,7 @@ static int copy_mode(char *copy_dst, struct stat *src_stat) + } + + if (chmod(copy_dst, src_stat->st_mode) != 0) { +- ERROR("chmod %s failed: %s", copy_dst, strerror(errno)); ++ SYSERROR("chmod %s failed", copy_dst); + return -1; + } + +@@ -1795,7 +1795,7 @@ static int copy_time(char *copy_dst, struct stat *src_stat) + + // copy_dst is absolute path, so first argment is ignored. + if (utimensat(0, copy_dst, tm, AT_SYMLINK_NOFOLLOW) != 0) { +- ERROR("failed to set time of %s: %s", copy_dst, strerror(errno)); ++ SYSERROR("failed to set time of %s", copy_dst); + return -1; + } + +@@ -1806,10 +1806,10 @@ static int set_one_xattr(char *copy_dst, char *key, char *value, ssize_t size) + { + if (lsetxattr(copy_dst, key, value, size, 0) != 0) { + if (errno == ENOTSUP) { +- DEBUG("ignore copy xattr %s of %s: %s", key, copy_dst, strerror(errno)); ++ SYSDEBUG("ignore copy xattr %s of %s", key, copy_dst); + return 0; + } +- ERROR("failed to set xattr %s of %s: %s", key, copy_dst, strerror(errno)); ++ SYSERROR("failed to set xattr %s of %s", key, copy_dst); + return -1; + } + +@@ -1831,10 +1831,10 @@ static int do_copy_xattrs(char *copy_dst, char *copy_src, char *xattrs, ssize_t + size = lgetxattr(copy_src, key, NULL, 0); + if (size < 0) { + if (errno == ENOTSUP) { +- DEBUG("ignore copy xattr %s of %s: %s", key, copy_src, strerror(errno)); ++ SYSDEBUG("ignore copy xattr %s of %s", key, copy_src); + continue; + } +- ERROR("failed to get xattr %s of %s: %s", key, copy_src, strerror(errno)); ++ SYSERROR("failed to get xattr %s of %s", key, copy_src); + ret = -1; + goto out; + } +@@ -1855,10 +1855,10 @@ static int do_copy_xattrs(char *copy_dst, char *copy_src, char *xattrs, ssize_t + + if (lgetxattr(copy_src, key, value, size) < 0) { + if (errno == ENOTSUP) { +- DEBUG("ignore copy xattr %s of %s: %s", key, copy_src, strerror(errno)); ++ SYSDEBUG("ignore copy xattr %s of %s", key, copy_src); + continue; + } +- ERROR("failed to get xattr %s of %s: %s", key, copy_src, strerror(errno)); ++ SYSERROR("failed to get xattr %s of %s", key, copy_src); + ret = -1; + goto out; + } +@@ -1884,10 +1884,10 @@ static int copy_xattrs(char *copy_dst, char *copy_src) + xattrs_len = llistxattr(copy_src, NULL, 0); + if (xattrs_len < 0) { + if (errno == ENOTSUP) { +- DEBUG("ignore copy xattrs of %s: %s", copy_src, strerror(errno)); ++ SYSDEBUG("ignore copy xattrs of %s", copy_src); + return 0; + } +- ERROR("failed to get xattrs length of %s: %s", copy_src, strerror(errno)); ++ SYSERROR("failed to get xattrs length of %s", copy_src); + return -1; + } + +@@ -1904,10 +1904,10 @@ static int copy_xattrs(char *copy_dst, char *copy_src) + + if (llistxattr(copy_src, xattrs, xattrs_len) < 0) { + if (errno == ENOTSUP) { +- DEBUG("ignore copy xattrs of %s: %s", copy_src, strerror(errno)); ++ SYSDEBUG("ignore copy xattrs of %s", copy_src); + goto out; + } +- ERROR("failed to list xattrs of %s: %s", copy_src, strerror(errno)); ++ SYSERROR("failed to list xattrs of %s", copy_src); + ret = -1; + goto out; + } +@@ -1953,7 +1953,7 @@ static int copy_folder(char *copy_dst, char *copy_src) + struct stat dst_stat = { 0 }; + + if (lstat(copy_src, &src_stat) != 0) { +- ERROR("stat %s failed: %s", copy_src, strerror(errno)); ++ SYSERROR("stat %s failed", copy_src); + return -1; + } + if (!S_ISDIR(src_stat.st_mode)) { +@@ -1963,7 +1963,7 @@ static int copy_folder(char *copy_dst, char *copy_src) + + if (lstat(copy_dst, &dst_stat) != 0) { + if (mkdir(copy_dst, src_stat.st_mode) != 0) { +- ERROR("failed to mkdir %s: %s", copy_dst, strerror(errno)); ++ SYSERROR("failed to mkdir %s", copy_dst); + return -1; + } + } else if (!S_ISDIR(dst_stat.st_mode)) { +@@ -1971,7 +1971,7 @@ static int copy_folder(char *copy_dst, char *copy_src) + return -1; + } else { + if (chmod(copy_dst, src_stat.st_mode) != 0) { +- ERROR("failed to chmod %s: %s", copy_dst, strerror(errno)); ++ SYSERROR("failed to chmod %s.", copy_dst); + return -1; + } + } +@@ -1988,7 +1988,7 @@ static int copy_regular(char *copy_dst, char *copy_src, struct stat *src_stat, m + target = map_search(inodes, (void *)(&(src_stat->st_ino))); + if (target != NULL) { + if (link(target, copy_dst) != 0) { +- ERROR("failed to link %s to %s: %s", target, copy_dst, strerror(errno)); ++ SYSERROR("failed to link %s to %s", target, copy_dst); + return -1; + } + return 0; +@@ -2008,12 +2008,12 @@ static int copy_symbolic(char *copy_dst, char *copy_src) + char link[PATH_MAX] = { 0 }; + + if (readlink(copy_src, link, sizeof(link)) < 0) { +- ERROR("readlink of %s failed: %s", copy_src, strerror(errno)); ++ SYSERROR("readlink of %s failed", copy_src); + return -1; + } + + if (symlink(link, copy_dst) != 0) { +- ERROR("create symbolic %s failed: %s", copy_dst, strerror(errno)); ++ SYSERROR("create symbolic %s failed", copy_dst); + return -1; + } + +@@ -2023,7 +2023,7 @@ static int copy_symbolic(char *copy_dst, char *copy_src) + static int copy_device(char *copy_dst, char *copy_src, struct stat *src_stat) + { + if (mknod(copy_dst, src_stat->st_mode, src_stat->st_dev) != 0) { +- ERROR("mknod %s failed: %s", copy_dst, strerror(errno)); ++ SYSERROR("mknod %s failed", copy_dst); + return -1; + } + return 0; +diff --git a/src/utils/cutils/utils_fs.c b/src/utils/cutils/utils_fs.c +index ae71f3ba..63f6d2aa 100644 +--- a/src/utils/cutils/utils_fs.c ++++ b/src/utils/cutils/utils_fs.c +@@ -449,7 +449,7 @@ static int do_real_mount(const char *src, const char *dst, const char *mtype, un + if (!is_remount(src, mntflags) || (mntdata != NULL && strcmp(mntdata, "") != 0)) { + ret = mount(src, dst, mtype, oflags, mntdata); + if (ret < 0) { +- ERROR("Failed to mount from %s to %s:%s", src, dst, strerror(errno)); ++ SYSERROR("Failed to mount from %s to %s", src, dst); + goto out; + } + } +@@ -458,7 +458,7 @@ static int do_real_mount(const char *src, const char *dst, const char *mtype, un + // Change the propagation type. + ret = mount("", dst, "", mntflags & PROPAGATION_FLAGS, ""); + if (ret < 0) { +- ERROR("Failed to change the propagation type of dst %s:%s", dst, strerror(errno)); ++ SYSERROR("Failed to change the propagation type of dst %s.", dst); + goto out; + } + } +@@ -467,7 +467,7 @@ static int do_real_mount(const char *src, const char *dst, const char *mtype, un + // Remount the bind to apply read only. + ret = mount("", dst, "", oflags | MS_REMOUNT, ""); + if (ret < 0) { +- ERROR("Failed to remount the bind to apply read only of dst %s:%s", dst, strerror(errno)); ++ SYSERROR("Failed to remount the bind to apply read only of dst %s.", dst); + goto out; + } + } +@@ -576,7 +576,7 @@ static int util_mount_from_handler(const char *src, const char *dst, const char + + ret = mount(src, dst, mtype, mntflags, mntdata); + if (ret < 0) { +- ERROR("Failed to mount from %s to %s:%s", src, dst, strerror(errno)); ++ SYSERROR("Failed to mount from %s to %s.", src, dst); + goto out; + } + out: +@@ -596,7 +596,7 @@ int util_mount_from(const char *base, const char *src, const char *dst, const ch + + pid = fork(); + if (pid == (pid_t) -1) { +- ERROR("Failed to fork: %s", strerror(errno)); ++ SYSERROR("Failed to fork"); + goto cleanup; + } + +@@ -652,7 +652,7 @@ bool util_check_readonly_fs(const char *path) + continue; + } + +- ERROR("Stat fs failed: %s", strerror(errno)); ++ SYSERROR("Stat fs failed"); + return false; + } + +diff --git a/src/utils/cutils/utils_port.c b/src/utils/cutils/utils_port.c +index 583a3509..fbe143ae 100644 +--- a/src/utils/cutils/utils_port.c ++++ b/src/utils/cutils/utils_port.c +@@ -984,12 +984,12 @@ static int do_close(int sock) + if (close(sock) == 0) { + return 0; + } +- WARN("close socket failed: %s, wait to retry: %zu\n", strerror(errno), i); ++ SYSWARN("close socket failed, wait to retry: %zu\n", i); + // wait 100us to retry + usleep(10000); + } + +- ERROR("close socket failed: %s", strerror(errno)); ++ SYSERROR("close socket failed"); + return -1; + } + +@@ -1006,12 +1006,12 @@ bool util_check_port_free(int port) + + sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) { +- ERROR("get socket failed: %s", strerror(errno)); ++ SYSERROR("get socket failed"); + return false; + } + + if (bind(sock, (struct sockaddr *)&s_addr, sizeof(struct sockaddr_in)) < 0) { +- ERROR("bind port failed: %s\n", strerror(errno)); ++ SYSERROR("bind port failed"); + ret = false; + } + +@@ -1036,19 +1036,19 @@ int util_get_random_port() + + sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) { +- ERROR("get socket failed: %s", strerror(errno)); ++ SYSERROR("get socket failed"); + return -1; + } + + if (bind(sock, (struct sockaddr *)&s_addr, sizeof(struct sockaddr_in)) < 0) { +- ERROR("bind port failed: %s\n", strerror(errno)); ++ SYSERROR("bind port failed"); + ret = -1; + goto out; + } + + s_len = sizeof(struct sockaddr_in); + if (getsockname(sock, (struct sockaddr *)&s_addr, &s_len) == -1) { +- ERROR("getsockname failed: %s\n", strerror(errno)); ++ SYSERROR("getsockname failed"); + ret = -1; + goto out; + } +diff --git a/src/utils/cutils/utils_verify.c b/src/utils/cutils/utils_verify.c +index 67313d70..2f10f278 100644 +--- a/src/utils/cutils/utils_verify.c ++++ b/src/utils/cutils/utils_verify.c +@@ -474,7 +474,7 @@ bool util_valid_file(const char *path, uint32_t fmod) + + nret = stat(path, &s); + if (nret < 0) { +- ERROR("stat failed, error: %s", strerror(errno)); ++ SYSERROR("stat failed"); + return false; + } + +diff --git a/src/utils/http/http.c b/src/utils/http/http.c +index 5e46766d..8b74f773 100644 +--- a/src/utils/http/http.c ++++ b/src/utils/http/http.c +@@ -333,7 +333,7 @@ static int ensure_path_file(char **rpath, void *output, bool resume, FILE **page + if (resume) { + mode = "a"; + if (stat(*rpath, &st) < 0) { +- ERROR("stat %s failed: %s", *rpath, strerror(errno)); ++ SYSERROR("stat %s failed", *rpath); + return -1; + } + *fsize = (size_t)st.st_size; +diff --git a/src/utils/sha256/sha256.c b/src/utils/sha256/sha256.c +index d8e044b4..54cc2862 100644 +--- a/src/utils/sha256/sha256.c ++++ b/src/utils/sha256/sha256.c +@@ -124,7 +124,7 @@ char *sha256_digest_file(const char *filename, bool isgzip) + stream = (void *)fopen(filename, "r"); + } + if (stream == NULL) { +- ERROR("open file %s failed: %s", filename, strerror(errno)); ++ SYSERROR("open file %s failed", filename); + return NULL; + } + +@@ -259,13 +259,13 @@ static char *cal_file_digest(const char *filename) + + fp = util_fopen(filename, "r"); + if (fp == NULL) { +- ERROR("failed to open file %s: %s", filename, strerror(errno)); ++ SYSERROR("failed to open file %s.", filename); + return NULL; + } + + digest = sha256_digest_file(filename, false); + if (digest == NULL) { +- ERROR("calc digest for file %s failed: %s", filename, strerror(errno)); ++ SYSERROR("calc digest for file %s failed", filename); + goto err_out; + } + +@@ -299,7 +299,7 @@ static char *cal_gzip_digest(const char *filename) + + digest = sha256_digest_file(filename, true); + if (digest == NULL) { +- ERROR("calc digest for file %s failed: %s", filename, strerror(errno)); ++ SYSERROR("calc digest for file %s failed", filename); + goto err_out; + } + +diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c +index 24269c70..7218cca8 100644 +--- a/src/utils/tar/isulad_tar.c ++++ b/src/utils/tar/isulad_tar.c +@@ -113,7 +113,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r + + if (follow_link) { + if (realpath(path, real_path) == NULL) { +- ERROR("Can not get real path of %s: %s", real_path, strerror(errno)); ++ SYSERROR("Can not get real path of %s.", real_path); + format_errorf(err, "Can not get real path of %s: %s", real_path, strerror(errno)); + return -1; + } +@@ -130,7 +130,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r + goto cleanup; + } + if (realpath(dirpath, real_path) == NULL) { +- ERROR("Can not get real path of %s: %s", dirpath, strerror(errno)); ++ SYSERROR("Can not get real path of %s.", dirpath); + format_errorf(err, "Can not get real path of %s: %s", dirpath, strerror(errno)); + goto cleanup; + } +@@ -191,7 +191,7 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li + + nret = lstat(resolved_path, &st); + if (nret < 0) { +- ERROR("lstat %s: %s", resolved_path, strerror(errno)); ++ SYSERROR("lstat %s failed", resolved_path); + format_errorf(err, "lstat %s: %s", resolved_path, strerror(errno)); + goto cleanup; + } +@@ -225,7 +225,7 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct + + ret = (int)readlink(iter_path, target, PATH_MAX); + if (ret < 0) { +- ERROR("Failed to read link of %s: %s", iter_path, strerror(errno)); ++ SYSERROR("Failed to read link of %s", iter_path); + format_errorf(err, "Failed to read link of %s: %s", iter_path, strerror(errno)); + goto cleanup; + } +@@ -258,7 +258,7 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct + if (ret != 0) { + char *dst_parent = NULL; + if (errno != ENOENT) { +- ERROR("Can not stat %s: %s", iter_path, strerror(errno)); ++ SYSERROR("Can not stat %s", iter_path); + format_errorf(err, "Can not stat %s: %s", iter_path, strerror(errno)); + goto cleanup; + } +@@ -428,7 +428,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, const char + char *srcbase = NULL; + + if (lstat(path, &st) < 0) { +- ERROR("lstat %s: %s", path, strerror(errno)); ++ SYSERROR("lstat %s failed", path); + format_errorf(err, "lstat %s: %s", path, strerror(errno)); + return -1; + } +diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c +index d2fc5488..f34572ae 100644 +--- a/src/utils/tar/util_archive.c ++++ b/src/utils/tar/util_archive.c +@@ -343,7 +343,7 @@ static int copy_data(struct archive *ar, struct archive *aw) + } + r = archive_write_data_block(aw, buff, size, offset); + if (r < ARCHIVE_OK) { +- ERROR("tar extraction error: %s, %s", archive_error_string(aw), strerror(archive_errno(aw))); ++ ERROR("tar extraction error: %s", archive_error_string(aw)); + return r; + } + } +@@ -672,7 +672,7 @@ int archive_unpack_handler(const struct io_read_wrapper *content, const struct a + ret = archive_read_open(a, mydata, NULL, read_content, NULL); + if (ret != 0) { + ERROR("Failed to open archive: %s", archive_error_string(a)); +- fprintf(stderr, "Failed to open archive: %s", strerror(errno)); ++ fprintf(stderr, "Failed to open archive: %s", archive_error_string(a)); + ret = -1; + goto out; + } +@@ -688,9 +688,8 @@ int archive_unpack_handler(const struct io_read_wrapper *content, const struct a + } + + if (ret != ARCHIVE_OK) { +- ERROR("Warning reading tar header: %s, %s", archive_error_string(a), strerror(archive_errno(a))); +- (void)fprintf(stderr, "Warning reading tar header: %s, %s", archive_error_string(a), +- strerror(archive_errno(a))); ++ ERROR("Warning reading tar header: %s", archive_error_string(a)); ++ (void)fprintf(stderr, "Warning reading tar header: %s", archive_error_string(a)); + ret = -1; + goto out; + } +@@ -724,26 +723,23 @@ int archive_unpack_handler(const struct io_read_wrapper *content, const struct a + + ret = archive_write_header(ext, entry); + if (ret != ARCHIVE_OK) { +- ERROR("Fail to handle tar header: %s, %s", archive_error_string(ext), strerror(archive_errno(ext))); +- (void)fprintf(stderr, "Fail to handle tar header: %s, %s", archive_error_string(ext), +- strerror(archive_errno(ext))); ++ ERROR("Fail to handle tar header: %s", archive_error_string(ext)); ++ (void)fprintf(stderr, "Fail to handle tar header: %s", archive_error_string(ext)); + ret = -1; + goto out; + } else if (archive_entry_size(entry) > 0) { + ret = copy_data(a, ext); + if (ret != ARCHIVE_OK) { +- ERROR("Failed to do copy tar data: %s, %s", archive_error_string(ext), strerror(archive_errno(ext))); +- (void)fprintf(stderr, "Failed to do copy tar data: %s, %s", archive_error_string(ext), +- strerror(archive_errno(ext))); ++ ERROR("Failed to do copy tar data: %s", archive_error_string(ext)); ++ (void)fprintf(stderr, "Failed to do copy tar data: %s", archive_error_string(ext)); + ret = -1; + goto out; + } + } + ret = archive_write_finish_entry(ext); + if (ret != ARCHIVE_OK) { +- ERROR("Failed to freeing archive entry: %s, %s", archive_error_string(ext), strerror(archive_errno(ext))); +- (void)fprintf(stderr, "Failed to freeing archive entry: %s, %s", archive_error_string(ext), +- strerror(archive_errno(ext))); ++ ERROR("Failed to freeing archive entry: %s", archive_error_string(ext)); ++ (void)fprintf(stderr, "Failed to freeing archive entry: %s", archive_error_string(ext)); + ret = -1; + goto out; + } +@@ -824,7 +820,7 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co + + pid = fork(); + if (pid == (pid_t) -1) { +- ERROR("Failed to fork: %s", strerror(errno)); ++ SYSERROR("Failed to fork"); + goto cleanup; + } + +@@ -844,7 +840,7 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co + + // child process, dup2 pipe_for_read[1] to stderr, + if (dup2(pipe_stderr[1], 2) < 0) { +- ERROR("Dup fd error: %s", strerror(errno)); ++ SYSERROR("Dup fd error"); + ret = -1; + goto child_out; + } +@@ -876,7 +872,7 @@ child_out: + + ret = util_wait_for_pid(pid); + if (ret != 0) { +- ERROR("Wait archive_untar_handler failed with error:%s", strerror(errno)); ++ SYSERROR("Wait archive_untar_handler failed"); + fcntl(pipe_stderr[0], F_SETFL, O_NONBLOCK); + if (util_read_nointr(pipe_stderr[0], errbuf, BUFSIZ) < 0) { + ERROR("read error message from child failed"); +@@ -918,22 +914,21 @@ bool valid_archive_format(const char *file) + + ret = archive_read_support_filter_all(read_archive); + if (ret != ARCHIVE_OK) { +- ERROR("Failed to set archive read support filter all, result is %d, errmsg: %s, %s", ret, +- archive_error_string(read_archive), strerror(archive_errno(read_archive))); ++ ERROR("Failed to set archive read support filter all, result is %d, errmsg: %s", ret, ++ archive_error_string(read_archive)); + goto out; + } + + ret = archive_read_support_format_all(read_archive); + if (ret != ARCHIVE_OK) { +- ERROR("Failed to set archive read support format all, result is %d, errmsg: %s, %s", ret, +- archive_error_string(read_archive), strerror(archive_errno(read_archive))); ++ ERROR("Failed to set archive read support format all, result is %d, errmsg: %s", ret, ++ archive_error_string(read_archive)); + goto out; + } + + ret = archive_read_open_filename(read_archive, file, ARCHIVE_READ_BUFFER_SIZE); + if (ret != ARCHIVE_OK) { +- ERROR("Failed to open archive %s: %s, %s", file, archive_error_string(read_archive), +- strerror(archive_errno(read_archive))); ++ ERROR("Failed to open archive %s: %s", file, archive_error_string(read_archive)); + goto out; + } + +@@ -944,15 +939,13 @@ bool valid_archive_format(const char *file) + goto out; + } + if (ret != ARCHIVE_OK) { +- ERROR("Failed to read next header for file %s: %s, %s", file, archive_error_string(read_archive), +- strerror(archive_errno(read_archive))); ++ ERROR("Failed to read next header for file %s: %s", file, archive_error_string(read_archive)); + goto out; + } + + out: + if (archive_read_free(read_archive) != ARCHIVE_OK) { +- ERROR("Failed to free archive %s: %s, %s", file, archive_error_string(read_archive), +- strerror(archive_errno(read_archive))); ++ ERROR("Failed to free archive %s: %s", file, archive_error_string(read_archive)); + } + read_archive = NULL; + +@@ -979,19 +972,15 @@ static int copy_data_between_archives(struct archive *ar, struct archive *aw) + goto out; + } + if (size < 0) { +- ERROR("tar archive read result %d, error: %s, %s", ret, archive_error_string(ar), +- strerror(archive_errno(ar))); +- (void)fprintf(stderr, "tar archive read result %d, error: %s, %s", ret, archive_error_string(ar), +- strerror(archive_errno(ar))); ++ ERROR("tar archive read result %d, error: %s", ret, archive_error_string(ar)); ++ (void)fprintf(stderr, "tar archive read result %d, error: %s", ret, archive_error_string(ar)); + ret = ARCHIVE_FAILED; + goto out; + } + ret = archive_write_data(aw, buff, size); + if (ret < ARCHIVE_OK) { +- ERROR("tar archive write result %d, error: %s, %s", ret, archive_error_string(aw), +- strerror(archive_errno(aw))); +- (void)fprintf(stderr, "tar archive write result %d, error: %s, %s", ret, archive_error_string(aw), +- strerror(archive_errno(aw))); ++ ERROR("tar archive write result %d, error: %s", ret, archive_error_string(aw)); ++ (void)fprintf(stderr, "tar archive write result %d, error: %s", ret, archive_error_string(aw)); + goto out; + } + } +@@ -1064,8 +1053,8 @@ int tar_handler(struct archive *r, struct archive *w, const char *src_base, cons + } + + if (ret != ARCHIVE_OK) { +- ERROR("read from disk failed: %s, %s", archive_error_string(r), strerror(archive_errno(r))); +- (void)fprintf(stderr, "read from disk failed: %s, %s", archive_error_string(r), strerror(archive_errno(r))); ++ ERROR("read from disk failed: %s", archive_error_string(r)); ++ (void)fprintf(stderr, "read from disk failed: %s", archive_error_string(r)); + break; + } + +@@ -1083,37 +1072,34 @@ int tar_handler(struct archive *r, struct archive *w, const char *src_base, cons + } + ret = archive_write_header(w, entry); + if (ret != ARCHIVE_OK) { +- ERROR("Fail to write tar header: %s, %s\nlink:%s target:%s", archive_error_string(w), +- strerror(archive_errno(w)), archive_entry_pathname(entry), archive_entry_hardlink(entry)); +- (void)fprintf(stderr, "Fail to write tar header: %s, %s\nlink:%s target:%s\n", archive_error_string(w), +- strerror(archive_errno(w)), archive_entry_pathname(entry), archive_entry_hardlink(entry)); ++ ERROR("Fail to write tar header: %s.\nlink:%s target:%s", archive_error_string(w), ++ archive_entry_pathname(entry), archive_entry_hardlink(entry)); ++ (void)fprintf(stderr, "Fail to write tar header: %s.\nlink:%s target:%s\n", archive_error_string(w), ++ archive_entry_pathname(entry), archive_entry_hardlink(entry)); + break; + } + + if (archive_entry_size(entry) > 0) { + ret = copy_data_between_archives(r, w); + if (ret != ARCHIVE_OK) { +- ERROR("Failed to do copy data: %s, %s", archive_error_string(w), strerror(archive_errno(w))); +- (void)fprintf(stderr, "Failed to do copy data: %s, %s\n", archive_error_string(w), +- strerror(archive_errno(w))); ++ ERROR("Failed to do copy data: %s", archive_error_string(w)); ++ (void)fprintf(stderr, "Failed to do copy data: %s\n", archive_error_string(w)); + break; + } + } + + ret = archive_write_finish_entry(w); + if (ret != ARCHIVE_OK) { +- ERROR("Failed to freeing archive entry: %s, %s", archive_error_string(w), strerror(archive_errno(w))); +- (void)fprintf(stderr, "Failed to freeing archive entry: %s, %s\n", archive_error_string(w), +- strerror(archive_errno(w))); ++ ERROR("Failed to freeing archive entry: %s", archive_error_string(w)); ++ (void)fprintf(stderr, "Failed to freeing archive entry: %s\n", archive_error_string(w)); + break; + } + + if (archive_entry_filetype(entry) == AE_IFDIR) { + ret = archive_read_disk_descend(r); + if (ret != ARCHIVE_OK) { +- ERROR("read disk descend failed: %s, %s", archive_error_string(w), strerror(archive_errno(w))); +- (void)fprintf(stderr, "read disk descend failed: %s, %s\n", archive_error_string(w), +- strerror(archive_errno(w))); ++ ERROR("read disk descend failed: %s", archive_error_string(w)); ++ (void)fprintf(stderr, "read disk descend failed: %s\n", archive_error_string(w)); + break; + } + } +@@ -1169,9 +1155,8 @@ static int tar_all(const struct io_write_wrapper *writer, const char *tar_dir, c + archive_read_disk_set_behavior(r, ARCHIVE_READDISK_NO_TRAVERSE_MOUNTS); + ret = archive_read_disk_open(r, tar_dir); + if (ret != ARCHIVE_OK) { +- ERROR("open archive read failed: %s, %s", archive_error_string(r), strerror(archive_errno(r))); +- (void)fprintf(stderr, "open archive read failed: %s, %s\n", archive_error_string(r), +- strerror(archive_errno(r))); ++ ERROR("open archive read failed: %s", archive_error_string(r)); ++ (void)fprintf(stderr, "open archive read failed: %s\n", archive_error_string(r)); + goto out; + } + +@@ -1186,9 +1171,8 @@ static int tar_all(const struct io_write_wrapper *writer, const char *tar_dir, c + archive_write_set_options(w, "xattrheader=SCHILY"); + ret = archive_write_open(w, (void *)writer, NULL, stream_write_data, NULL); + if (ret != ARCHIVE_OK) { +- ERROR("open archive write failed: %s, %s", archive_error_string(w), strerror(archive_errno(w))); +- (void)fprintf(stderr, "open archive write failed: %s, %s\n", archive_error_string(w), +- strerror(archive_errno(w))); ++ ERROR("open archive write failed: %s", archive_error_string(w)); ++ (void)fprintf(stderr, "open archive write failed: %s\n", archive_error_string(w)); + goto out; + } + +@@ -1261,14 +1245,14 @@ int archive_chroot_tar(const char *path, const char *file, const char *root_dir, + + // child process, dup2 pipe_for_read[1] to stderr, + if (dup2(pipe_for_read[1], 2) < 0) { +- ERROR("Dup fd error: %s", strerror(errno)); ++ SYSERROR("Dup fd failed"); + ret = -1; + goto child_out; + } + + fd = open(file, TAR_DEFAULT_FLAG, TAR_DEFAULT_MODE); + if (fd < 0) { +- ERROR("Failed to open file %s for export: %s", file, strerror(errno)); ++ SYSERROR("Failed to open file %s for export", file); + fprintf(stderr, "Failed to open file %s for export: %s\n", file, strerror(errno)); + ret = -1; + goto child_out; +@@ -1477,17 +1461,17 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha + } + + if (pipe(pipe_stderr) != 0) { +- ERROR("Failed to create pipe: %s", strerror(errno)); ++ SYSERROR("Failed to create pipe"); + goto cleanup; + } + if (pipe(pipe_stream) != 0) { +- ERROR("Failed to create pipe: %s", strerror(errno)); ++ SYSERROR("Failed to create pipe"); + goto cleanup; + } + + pid = fork(); + if (pid == (pid_t) -1) { +- ERROR("Failed to fork: %s", strerror(errno)); ++ SYSERROR("Failed to fork"); + goto cleanup; + } + +@@ -1506,7 +1490,7 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha + + // child process, dup2 pipe_stderr[1] to stderr, + if (dup2(pipe_stderr[1], 2) < 0) { +- ERROR("Dup fd error: %s", strerror(errno)); ++ SYSERROR("Dup fd error"); + ret = -1; + goto child_out; + } +@@ -1562,7 +1546,7 @@ child_out: + while (read_len > 0) { + ssize_t writed_len = archive_context_write(ctx, buf, (size_t)read_len); + if (writed_len < 0) { +- DEBUG("Tar may exited: %s", strerror(errno)); ++ SYSDEBUG("Tar may exited"); + break; + } + read_len = context->read(context->context, buf, buf_len); +@@ -1613,17 +1597,17 @@ int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, cons + } + + if (pipe(pipe_stderr) != 0) { +- ERROR("Failed to create pipe: %s", strerror(errno)); ++ SYSERROR("Failed to create pipe"); + goto free_out; + } + if (pipe(pipe_stream) != 0) { +- ERROR("Failed to create pipe: %s", strerror(errno)); ++ SYSERROR("Failed to create pipe"); + goto free_out; + } + + pid = fork(); + if (pid == (pid_t) -1) { +- ERROR("Failed to fork: %s", strerror(errno)); ++ SYSERROR("Failed to fork"); + goto free_out; + } + +@@ -1645,7 +1629,7 @@ int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, cons + + // child process, dup2 pipe_stderr[1] to stderr, + if (dup2(pipe_stderr[1], 2) < 0) { +- ERROR("Dup fd error: %s", strerror(errno)); ++ SYSERROR("Dup fd error"); + ret = -1; + goto child_out; + } +diff --git a/src/utils/tar/util_gzip.c b/src/utils/tar/util_gzip.c +index bf649300..0c8c8372 100644 +--- a/src/utils/tar/util_gzip.c ++++ b/src/utils/tar/util_gzip.c +@@ -42,13 +42,13 @@ int util_gzip_z(const char *srcfile, const char *dstfile, const mode_t mode) + + srcfd = util_open(srcfile, O_RDONLY, SECURE_CONFIG_FILE_MODE); + if (srcfd < 0) { +- ERROR("Open src file: %s, failed: %s", srcfile, strerror(errno)); ++ SYSERROR("Open src file: %s, failed", srcfile); + return -1; + } + + stream = gzopen(dstfile, "w"); + if (stream == NULL) { +- ERROR("gzopen %s error: %s", dstfile, strerror(errno)); ++ SYSERROR("gzopen %s failed", dstfile); + close(srcfd); + return -1; + } +@@ -64,7 +64,7 @@ int util_gzip_z(const char *srcfile, const char *dstfile, const mode_t mode) + int n; + size = util_read_nointr(srcfd, buffer, BLKSIZE); + if (size < 0) { +- ERROR("read file %s failed: %s", srcfile, strerror(errno)); ++ SYSERROR("read file %s failed", srcfile); + ret = -1; + break; + } else if (size == 0) { +@@ -92,7 +92,7 @@ out: + free(buffer); + if (ret != 0) { + if (util_path_remove(dstfile) != 0) { +- ERROR("Remove file %s failed: %s", dstfile, strerror(errno)); ++ SYSERROR("Remove file %s failed", dstfile); + } + } + +@@ -115,7 +115,7 @@ int util_gzip_d(const char *srcfile, const FILE *dstfp) + + stream = gzopen(srcfile, "r"); + if (stream == NULL) { +- ERROR("gzopen %s failed: %s", srcfile, strerror(errno)); ++ SYSERROR("gzopen %s failed", srcfile); + return -1; + } + +@@ -142,7 +142,7 @@ int util_gzip_d(const char *srcfile, const FILE *dstfp) + size = fwrite(buffer, 1, n, (FILE *)dstfp); + if (size != n) { + ret = -1; +- ERROR("Write file failed: %s", strerror(errno)); ++ SYSERROR("Write file failed"); + break; + } + } +-- +2.25.1 + diff --git a/0010-do-not-report-low-level-error-to-user.patch b/0010-do-not-report-low-level-error-to-user.patch new file mode 100644 index 0000000000000000000000000000000000000000..b215682b40ab997961097bfe51871143403b3615 --- /dev/null +++ b/0010-do-not-report-low-level-error-to-user.patch @@ -0,0 +1,358 @@ +From ab03fdd4261ebc11f18e3b783dfc38558e5247b5 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Wed, 6 Sep 2023 10:45:37 +0800 +Subject: [PATCH 10/32] do not report low level error to user + +Signed-off-by: haozi007 +--- + src/daemon/entry/cri/cri_helpers.cc | 4 ++-- + .../v1alpha/cri_container_manager_service.cc | 3 ++- + src/daemon/executor/container_cb/execution.c | 4 ++-- + .../executor/container_cb/execution_network.c | 17 ++++++++--------- + .../executor/container_cb/execution_stream.c | 4 ++-- + src/daemon/modules/container/container_unix.c | 2 +- + src/daemon/modules/image/external/ext_image.c | 4 ++-- + src/daemon/modules/image/oci/oci_load.c | 2 +- + .../modules/runtime/engines/lcr/lcr_rt_ops.c | 3 +-- + src/daemon/modules/service/service_container.c | 2 +- + src/daemon/modules/spec/verify.c | 2 +- + src/daemon/modules/volume/local.c | 8 ++++---- + src/utils/tar/isulad_tar.c | 16 ++++++++-------- + src/utils/tar/util_archive.c | 12 ++++++------ + 14 files changed, 41 insertions(+), 42 deletions(-) + +diff --git a/src/daemon/entry/cri/cri_helpers.cc b/src/daemon/entry/cri/cri_helpers.cc +index a80ec7d0..2e1096f5 100644 +--- a/src/daemon/entry/cri/cri_helpers.cc ++++ b/src/daemon/entry/cri/cri_helpers.cc +@@ -540,8 +540,8 @@ void RemoveContainerLogSymlink(const std::string &containerID, Errors &error) + if (path != nullptr) { + // Only remove the symlink when container log path is specified. + if (util_path_remove(path) != 0 && errno != ENOENT) { +- error.Errorf("Failed to remove container %s log symlink %s: %s", containerID.c_str(), path, +- strerror(errno)); ++ SYSERROR("Failed to remove container %s log symlink %s.", containerID.c_str(), path); ++ error.Errorf("Failed to remove container %s log symlink %s.", containerID.c_str(), path); + goto cleanup; + } + } +diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc +index b4faab95..013b938a 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc +@@ -547,8 +547,9 @@ void ContainerManagerService::CreateContainerLogSymlink(const std::string &conta + WARN("Deleted previously existing symlink file: %s", path); + } + if (symlink(realPath, path) != 0) { ++ SYSERROR("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str()); + error.Errorf("failed to create symbolic link %s to the container log file %s for container %s: %s", path, +- realPath, containerID.c_str(), strerror(errno)); ++ realPath, containerID.c_str()); + goto cleanup; + } + } else { +diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c +index d3571b7f..63d8143c 100644 +--- a/src/daemon/executor/container_cb/execution.c ++++ b/src/daemon/executor/container_cb/execution.c +@@ -345,13 +345,13 @@ static int maybe_create_cpu_realtime_file(int64_t value, const char *file, const + fd = util_open(fpath, O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, 0700); + if (fd < 0) { + SYSERROR("Failed to open file: %s.", fpath); +- isulad_set_error_message("Failed to open file: %s: %s", fpath, strerror(errno)); ++ isulad_set_error_message("Failed to open file: %s.", fpath); + return -1; + } + nwrite = util_write_nointr(fd, buf, strlen(buf)); + if (nwrite < 0 || (size_t)nwrite != strlen(buf)) { + SYSERROR("Failed to write %s to %s.", buf, fpath); +- isulad_set_error_message("Failed to write '%s' to '%s': %s", buf, fpath, strerror(errno)); ++ isulad_set_error_message("Failed to write '%s' to '%s'.", buf, fpath); + return -1; + } + +diff --git a/src/daemon/executor/container_cb/execution_network.c b/src/daemon/executor/container_cb/execution_network.c +index ce924332..a145e33a 100644 +--- a/src/daemon/executor/container_cb/execution_network.c ++++ b/src/daemon/executor/container_cb/execution_network.c +@@ -68,8 +68,8 @@ static int write_hostname_to_file(const char *rootfs, const char *hostname) + + ret = util_write_file(file_path, hostname, strlen(hostname), NETWORK_MOUNT_FILE_MODE); + if (ret) { +- SYSERROR("Failed to write %s", file_path); +- isulad_set_error_message("Failed to write %s: %s", file_path, strerror(errno)); ++ SYSERROR("Failed to write %s.", file_path); ++ isulad_set_error_message("Failed to write %s.", file_path); + goto out; + } + +@@ -97,8 +97,8 @@ static int fopen_network(FILE **fp, char **file_path, const char *rootfs, const + + *fp = util_fopen(*file_path, "a+"); + if (*fp == NULL) { +- SYSERROR("Failed to open %s", *file_path); +- isulad_set_error_message("Failed to open %s: %s", *file_path, strerror(errno)); ++ SYSERROR("Failed to open %s.", *file_path); ++ isulad_set_error_message("Failed to open %s.", *file_path); + return -1; + } + return 0; +@@ -169,8 +169,8 @@ static int write_content_to_file(const char *file_path, const char *content) + if (content != NULL) { + ret = util_write_file(file_path, content, strlen(content), NETWORK_MOUNT_FILE_MODE); + if (ret != 0) { +- SYSERROR("Failed to write file %s", file_path); +- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); ++ SYSERROR("Failed to write file %s.", file_path); ++ isulad_set_error_message("Failed to write file %s.", file_path); + return ret; + } + } +@@ -702,9 +702,8 @@ static int chown_network(const char *user_remap, const char *rootfs, const char + goto out; + } + if (chown(file_path, host_uid, host_gid) != 0) { +- SYSERROR("Failed to chown network file '%s' to %u:%u", filename, host_uid, host_gid); +- isulad_set_error_message("Failed to chown network file '%s' to %u:%u: %s", filename, host_uid, host_gid, +- strerror(errno)); ++ SYSERROR("Failed to chown network file '%s' to %u:%u.", filename, host_uid, host_gid); ++ isulad_set_error_message("Failed to chown network file '%s' to %u:%u.", filename, host_uid, host_gid); + ret = -1; + goto out; + } +diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c +index 7e84cca3..aae9c234 100644 +--- a/src/daemon/executor/container_cb/execution_stream.c ++++ b/src/daemon/executor/container_cb/execution_stream.c +@@ -536,7 +536,7 @@ static container_path_stat *do_container_stat_path(const char *rootpath, const c + nret = lstat(resolvedpath, &st); + if (nret < 0) { + SYSERROR("lstat %s failed.", resolvedpath); +- isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno)); ++ isulad_set_error_message("lstat %s failed.", resolvedpath); + goto cleanup; + } + +@@ -922,7 +922,7 @@ static int copy_to_container_check_path_valid(const container_t *cont, const cha + nret = lstat(resolvedpath, &st); + if (nret < 0) { + SYSERROR("lstat %s failed", resolvedpath); +- isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno)); ++ isulad_set_error_message("lstat %s failed", resolvedpath); + goto cleanup; + } + +diff --git a/src/daemon/modules/container/container_unix.c b/src/daemon/modules/container/container_unix.c +index e8c98441..fa53a85f 100644 +--- a/src/daemon/modules/container/container_unix.c ++++ b/src/daemon/modules/container/container_unix.c +@@ -518,7 +518,7 @@ static int save_json_config_file(const char *id, const char *rootpath, const cha + nret = util_atomic_write_file(filename, json_data, strlen(json_data), CONFIG_FILE_MODE, false); + if (nret != 0) { + SYSERROR("Write file %s failed.", filename); +- isulad_set_error_message("Write file '%s' failed: %s", filename, strerror(errno)); ++ isulad_set_error_message("Write file '%s' failed.", filename); + ret = -1; + } + +diff --git a/src/daemon/modules/image/external/ext_image.c b/src/daemon/modules/image/external/ext_image.c +index 10af82a3..e1706469 100644 +--- a/src/daemon/modules/image/external/ext_image.c ++++ b/src/daemon/modules/image/external/ext_image.c +@@ -65,8 +65,8 @@ int ext_prepare_rf(const im_prepare_request *request, char **real_rootfs) + return -1; + } + if (realpath(request->rootfs, real_path) == NULL) { +- SYSERROR("Failed to clean rootfs path '%s'", request->rootfs); +- isulad_set_error_message("Failed to clean rootfs path '%s': %s", request->rootfs, strerror(errno)); ++ SYSERROR("Failed to clean rootfs path '%s'.", request->rootfs); ++ isulad_set_error_message("Failed to clean rootfs path '%s'.", request->rootfs); + return -1; + } + *real_rootfs = util_strdup_s(real_path); +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index d2efab81..5511a70c 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -1046,7 +1046,7 @@ static char *oci_load_path_create() + + if (mkdtemp(tmp_dir) == NULL) { + SYSERROR("make temporary dir failed"); +- isulad_try_set_error_message("make temporary dir failed: %s", strerror(errno)); ++ isulad_try_set_error_message("make temporary dir failed"); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c +index e985cfc1..f61316d0 100644 +--- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c ++++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c +@@ -209,9 +209,8 @@ static int remove_container_rootpath(const char *id, const char *root_path) + } + ret = util_recursive_rmdir(cont_root_path, 0); + if (ret != 0) { +- const char *tmp_err = (errno != 0) ? strerror(errno) : "error"; + SYSERROR("Failed to delete container's root directory %s.", cont_root_path); +- isulad_set_error_message("Failed to delete container's root directory %s: %s", cont_root_path, tmp_err); ++ isulad_set_error_message("Failed to delete container's root directory %s.", cont_root_path); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 483670de..370ba059 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -596,7 +596,7 @@ static int valid_mount_point(container_config_v2_common_config_mount_points_elem + + if (lstat(mp->source, &st) != 0) { + SYSERROR("lstat %s failed", mp->source); +- isulad_set_error_message("lstat %s: %s", mp->source, strerror(errno)); ++ isulad_set_error_message("lstat %s failed", mp->source); + return -1; + } + +diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c +index 6180b887..92029cbd 100644 +--- a/src/daemon/modules/spec/verify.c ++++ b/src/daemon/modules/spec/verify.c +@@ -1536,7 +1536,7 @@ static int verify_custom_mount(defs_mount **mounts, size_t len) + if (!util_file_exists(iter->source) && util_mkdir_p(iter->source, mode)) { + #endif + SYSERROR("Failed to create directory '%s'", iter->source); +- isulad_try_set_error_message("Failed to create directory '%s': %s", iter->source, strerror(errno)); ++ isulad_try_set_error_message("Failed to create directory '%s'", iter->source); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/volume/local.c b/src/daemon/modules/volume/local.c +index 7f95757d..6c3354dc 100644 +--- a/src/daemon/modules/volume/local.c ++++ b/src/daemon/modules/volume/local.c +@@ -556,15 +556,15 @@ static int remove_volume_dir(char *path) + // remain untouched if we remove the data directory failed. + ret = util_recursive_rmdir(path, 0); + if (ret != 0) { +- SYSERROR("failed to remove volume data dir %s", path); +- isulad_try_set_error_message("failed to remove volume data dir %s: %s", path, strerror(errno)); ++ SYSERROR("failed to remove volume data dir %s.", path); ++ isulad_try_set_error_message("failed to remove volume data dir %s.", path); + goto out; + } + + ret = util_recursive_rmdir(vol_dir, 0); + if (ret != 0) { +- SYSERROR("failed to remove volume dir %s", vol_dir); +- isulad_try_set_error_message("failed to remove volume dir %s: %s", vol_dir, strerror(errno)); ++ SYSERROR("failed to remove volume dir %s.", vol_dir); ++ isulad_try_set_error_message("failed to remove volume dir %s.", vol_dir); + goto out; + } + +diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c +index 7218cca8..bffbb43b 100644 +--- a/src/utils/tar/isulad_tar.c ++++ b/src/utils/tar/isulad_tar.c +@@ -114,7 +114,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r + if (follow_link) { + if (realpath(path, real_path) == NULL) { + SYSERROR("Can not get real path of %s.", real_path); +- format_errorf(err, "Can not get real path of %s: %s", real_path, strerror(errno)); ++ format_errorf(err, "Can not get real path of %s.", real_path); + return -1; + } + nret = get_rebase_name(path, real_path, resolved_path, rebase_name); +@@ -131,7 +131,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r + } + if (realpath(dirpath, real_path) == NULL) { + SYSERROR("Can not get real path of %s.", dirpath); +- format_errorf(err, "Can not get real path of %s: %s", dirpath, strerror(errno)); ++ format_errorf(err, "Can not get real path of %s.", dirpath); + goto cleanup; + } + nret = snprintf(resolved, sizeof(resolved), "%s/%s", real_path, basepath); +@@ -192,7 +192,7 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li + nret = lstat(resolved_path, &st); + if (nret < 0) { + SYSERROR("lstat %s failed", resolved_path); +- format_errorf(err, "lstat %s: %s", resolved_path, strerror(errno)); ++ format_errorf(err, "lstat %s failed", resolved_path); + goto cleanup; + } + +@@ -225,8 +225,8 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct + + ret = (int)readlink(iter_path, target, PATH_MAX); + if (ret < 0) { +- SYSERROR("Failed to read link of %s", iter_path); +- format_errorf(err, "Failed to read link of %s: %s", iter_path, strerror(errno)); ++ SYSERROR("Failed to read link of %s.", iter_path); ++ format_errorf(err, "Failed to read link of %s.", iter_path); + goto cleanup; + } + // is not absolutely path +@@ -258,8 +258,8 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct + if (ret != 0) { + char *dst_parent = NULL; + if (errno != ENOENT) { +- SYSERROR("Can not stat %s", iter_path); +- format_errorf(err, "Can not stat %s: %s", iter_path, strerror(errno)); ++ SYSERROR("Can not stat %s.", iter_path); ++ format_errorf(err, "Can not stat %s.", iter_path); + goto cleanup; + } + +@@ -429,7 +429,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, const char + + if (lstat(path, &st) < 0) { + SYSERROR("lstat %s failed", path); +- format_errorf(err, "lstat %s: %s", path, strerror(errno)); ++ format_errorf(err, "lstat %s failed", path); + return -1; + } + if (util_split_path_dir_entry(path, &srcdir, &srcbase) < 0) { +diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c +index f34572ae..82194654 100644 +--- a/src/utils/tar/util_archive.c ++++ b/src/utils/tar/util_archive.c +@@ -257,8 +257,8 @@ static int do_safe_chroot(const char *dstdir) + prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + + if (chroot(dstdir) != 0) { +- SYSERROR("Failed to chroot to %s", dstdir); +- fprintf(stderr, "Failed to chroot to %s: %s", dstdir, strerror(errno)); ++ SYSERROR("Failed to chroot to %s.", dstdir); ++ fprintf(stderr, "Failed to chroot to %s.", dstdir); + return -1; + } + +@@ -846,15 +846,15 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co + } + + if (do_safe_chroot(safe_dir) != 0) { +- SYSERROR("Failed to chroot to %s", safe_dir); +- fprintf(stderr, "Failed to chroot to %s: %s", safe_dir, strerror(errno)); ++ SYSERROR("Failed to chroot to %s.", safe_dir); ++ fprintf(stderr, "Failed to chroot to %s.", safe_dir); + ret = -1; + goto child_out; + } + + if (chdir("/") != 0) { + SYSERROR("Failed to chroot to /"); +- fprintf(stderr, "Failed to chroot to /: %s", strerror(errno)); ++ fprintf(stderr, "Failed to chroot to /"); + ret = -1; + goto child_out; + } +@@ -1253,7 +1253,7 @@ int archive_chroot_tar(const char *path, const char *file, const char *root_dir, + fd = open(file, TAR_DEFAULT_FLAG, TAR_DEFAULT_MODE); + if (fd < 0) { + SYSERROR("Failed to open file %s for export", file); +- fprintf(stderr, "Failed to open file %s for export: %s\n", file, strerror(errno)); ++ fprintf(stderr, "Failed to open file %s for export\n", file); + ret = -1; + goto child_out; + } +-- +2.25.1 + diff --git a/0010-fix-memory-leak-of-top_layer.patch b/0010-fix-memory-leak-of-top_layer.patch deleted file mode 100644 index d840c5c8bc665e8161b98df899fb34f6ba8241f0..0000000000000000000000000000000000000000 --- a/0010-fix-memory-leak-of-top_layer.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 10d3f420735925bcc747384198fdc07bb8faf0c2 Mon Sep 17 00:00:00 2001 -From: "Neil.wrz" -Date: Wed, 24 May 2023 18:35:33 -0700 -Subject: [PATCH 10/15] fix memory leak of top_layer - -Signed-off-by: Neil.wrz ---- - .../oci/storage/image_store/image_store.c | 3 +- - .../remote_layer_support/image_remote_impl.c | 50 +++++++++++++------ - .../overlay_remote_impl.c | 4 +- - 3 files changed, 38 insertions(+), 19 deletions(-) - -diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c -index 473ba3c8..65b90832 100644 ---- a/src/daemon/modules/image/oci/storage/image_store/image_store.c -+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c -@@ -3681,7 +3681,8 @@ int remote_append_image_by_directory_with_lock(const char *id) - nret = snprintf(image_path, sizeof(image_path), "%s/%s", g_image_store->dir, id); - if (nret < 0 || (size_t)nret >= sizeof(image_path)) { - ERROR("Failed to get image path"); -- return -1; -+ ret = -1; -+ goto out; - } - - ret = append_image_by_directory(image_path); -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c -index 92bf901d..b4a53ec1 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c -@@ -126,11 +126,43 @@ out: - return ret; - } - -+static int check_top_layer_and_add_image(const char *id) -+{ -+ char *top_layer = NULL; -+ int ret = 0; -+ -+ top_layer = remote_image_get_top_layer_from_json(id); -+ if (top_layer == NULL) { -+ WARN("Can't get top layer id for image: %s, image not add", id); -+ return 0; -+ } -+ -+ if (!remote_layer_layer_valid(top_layer)) { -+ WARN("Current not find valid under layer, remote image:%s not add", id); -+ if (!map_remove(image_byid_new, (void *)id)) { -+ WARN("image %s will not be loaded from remote.", id); -+ } -+ goto out; -+ } -+ -+ if (remote_append_image_by_directory_with_lock(id) != 0) { -+ ERROR("Failed to load image into memrory: %s", id); -+ if (!map_remove(image_byid_new, (void *)id)) { -+ WARN("image %s will not be loaded from remote", id); -+ } -+ ret = -1; -+ } -+ -+out: -+ free(top_layer); -+ -+ return ret; -+} -+ - static int remote_image_add(void *data) - { - char **array_added = NULL; - char **array_deleted = NULL; -- char *top_layer = NULL; - map_t *tmp_map = NULL; - bool exist = true; - size_t i = 0; -@@ -144,20 +176,7 @@ static int remote_image_add(void *data) - array_deleted = remote_deleted_layers(image_byid_old, image_byid_new); - - for (i = 0; i < util_array_len((const char **)array_added); i++) { -- top_layer = remote_image_get_top_layer_from_json(array_added[i]); -- if (top_layer != NULL && !remote_layer_layer_valid(top_layer)) { -- WARN("Current not find valid under layer, remoet image:%s not added", array_added[i]); -- if (!map_remove(image_byid_new, (void *)array_added[i])) { -- WARN("image %s will not be loaded from remote.", array_added[i]); -- } -- continue; -- } -- -- if (remote_append_image_by_directory_with_lock(array_added[i]) != 0) { -- ERROR("Failed to load image into memrory: %s", array_added[i]); -- if (!map_remove(image_byid_new, (void *)array_added[i])) { -- WARN("image %s will not be loaded from remote", array_added[i]); -- } -+ if (check_top_layer_and_add_image(array_added[i]) != 0) { - ret = -1; - } - } -@@ -179,7 +198,6 @@ static int remote_image_add(void *data) - - util_free_array(array_added); - util_free_array(array_deleted); -- free(top_layer); - - return ret; - } -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -index 30caf175..238506c2 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -@@ -292,7 +292,7 @@ free_out: - return ret; - } - --static int remote_image_add(struct remote_overlay_data *data) -+static int remote_overlay_add(struct remote_overlay_data *data) - { - int ret = 0; - char **array_added = NULL; -@@ -346,7 +346,7 @@ void remote_overlay_refresh(struct remote_overlay_data *data) - return; - } - -- if (remote_image_add(data) != 0) { -+ if (remote_overlay_add(data) != 0) { - ERROR("refresh overlay failed"); - } - } --- -2.25.1 - diff --git a/0011-distinguishing-exit-codes-between-shim-and-container.patch b/0011-distinguishing-exit-codes-between-shim-and-container.patch deleted file mode 100644 index 1cbc3b52ae37cef21eaf904ca0ebdeb1b4adc39d..0000000000000000000000000000000000000000 --- a/0011-distinguishing-exit-codes-between-shim-and-container.patch +++ /dev/null @@ -1,223 +0,0 @@ -From b878dde993c8da90788fae5c2a463812001bff30 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Wed, 24 May 2023 09:35:35 +0800 -Subject: [PATCH 11/15] distinguishing exit codes between shim and container - processes - -Signed-off-by: zhongtao ---- - src/cmd/isulad-shim/main.c | 10 ++- - src/cmd/isulad-shim/process.c | 8 ++- - .../modules/runtime/isula/isula_rt_ops.c | 63 +++++++++++++++---- - 3 files changed, 64 insertions(+), 17 deletions(-) - -diff --git a/src/cmd/isulad-shim/main.c b/src/cmd/isulad-shim/main.c -index ed55805c..e2625aac 100644 ---- a/src/cmd/isulad-shim/main.c -+++ b/src/cmd/isulad-shim/main.c -@@ -160,5 +160,13 @@ int main(int argc, char **argv) - - released_timeout_exit(); - -- return process_signal_handle_routine(p, tid_epoll, timeout); -+ ret = process_signal_handle_routine(p, tid_epoll, timeout); -+ if (ret == SHIM_ERR) { -+ exit(EXIT_FAILURE); -+ } -+ if (ret == SHIM_ERR_TIMEOUT) { -+ exit(SHIM_EXIT_TIMEOUT); -+ } -+ -+ exit(EXIT_SUCCESS); - } -diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c -index 6ad50c53..1d070f83 100644 ---- a/src/cmd/isulad-shim/process.c -+++ b/src/cmd/isulad-shim/process.c -@@ -1269,7 +1269,7 @@ int process_signal_handle_routine(process_t *p, const pthread_t tid_epoll, const - nret = kill(p->ctr_pid, SIGKILL); - if (nret < 0 && errno != ESRCH) { - write_message(g_log_fd, ERR_MSG, "Can not kill process (pid=%d) with SIGKILL", p->ctr_pid); -- exit(EXIT_FAILURE); -+ return SHIM_ERR; - } - } - -@@ -1307,8 +1307,10 @@ int process_signal_handle_routine(process_t *p, const pthread_t tid_epoll, const - - if (ret == SHIM_ERR_TIMEOUT) { - write_message(g_log_fd, INFO_MSG, "Wait %d timeout", p->ctr_pid); -- exit(SHIM_EXIT_TIMEOUT); -+ return SHIM_ERR_TIMEOUT; - } -- return status; - -+ // write container process exit_code in stdout -+ (void)write_nointr(STDOUT_FILENO, &status, sizeof(int)); -+ return SHIM_OK; - } -diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c -index 07f714f0..84a081c1 100644 ---- a/src/daemon/modules/runtime/isula/isula_rt_ops.c -+++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c -@@ -677,9 +677,9 @@ static int runtime_call_kill_and_check(const char *workdir, const char *runtime, - static int runtime_call_delete_force(const char *workdir, const char *runtime, const char *id) - { - const char *opts[1] = { "--force" }; -- // delete succeed, return 0; -- // When the runc version is less than or equal to v1.0.0-rc3, -- // if the container does not exist when force deleting it, -+ // delete succeed, return 0; -+ // When the runc version is less than or equal to v1.0.0-rc3, -+ // if the container does not exist when force deleting it, - // runc will report an error and isulad does not need to retry the deletion again. - // related PR ID:d1a743674a98e23d348b29f52c43436356f56b79 - // non_existent_output_check succeed, return 0; -@@ -704,11 +704,16 @@ static int status_to_exit_code(int status) - return exit_code; - } - -+/* -+ exit_code records the exit code of the container, obtained by reading the stdout of isulad-shim; -+ shim_exit_code records the exit code of isulad-shim, obtained through waitpid; -+*/ - static int shim_create(bool fg, const char *id, const char *workdir, const char *bundle, const char *runtime_cmd, -- int *exit_code, const char* timeout) -+ int *exit_code, const char* timeout, int* shim_exit_code) - { - pid_t pid = 0; - int exec_fd[2] = { -1, -1 }; -+ int shim_stdout_pipe[2] = { -1, -1 }; - int num = 0; - int ret = 0; - char exec_buff[BUFSIZ + 1] = { 0 }; -@@ -738,11 +743,18 @@ static int shim_create(bool fg, const char *id, const char *workdir, const char - return -1; - } - -+ if (pipe2(shim_stdout_pipe, O_CLOEXEC) != 0) { -+ ERROR("Failed to create pipe for shim exit code"); -+ return -1; -+ } -+ - pid = fork(); - if (pid < 0) { - ERROR("Failed fork for shim parent %s", strerror(errno)); - close(exec_fd[0]); - close(exec_fd[1]); -+ close(shim_stdout_pipe[0]); -+ close(shim_stdout_pipe[1]); - return -1; - } - -@@ -777,12 +789,21 @@ static int shim_create(bool fg, const char *id, const char *workdir, const char - realexec: - /* real shim process. */ - close(exec_fd[0]); -+ close(shim_stdout_pipe[0]); -+ // child process, dup2 shim_stdout_pipe[1] to STDOUT -+ if (dup2(shim_stdout_pipe[1], STDOUT_FILENO) < 0) { -+ (void)dprintf(exec_fd[1], "Dup fd error: %s", strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ - if (setsid() < 0) { - (void)dprintf(exec_fd[1], "%s: failed setsid for process %d", id, getpid()); - exit(EXIT_FAILURE); - } -- -- if (util_check_inherited(true, exec_fd[1]) != 0) { -+ int ignore_fd[2] = {-1, -1}; -+ ignore_fd[0] = exec_fd[1]; -+ ignore_fd[1] = shim_stdout_pipe[1]; -+ if (util_check_inherited_exclude_fds(true, ignore_fd, 2) != 0) { - (void)dprintf(exec_fd[1], "close inherited fds failed"); - } - -@@ -791,24 +812,38 @@ realexec: - } - - close(exec_fd[1]); -+ close(shim_stdout_pipe[1]); - num = util_read_nointr(exec_fd[0], exec_buff, sizeof(exec_buff) - 1); - close(exec_fd[0]); - if (num > 0) { -- ERROR("exec failed: %s", exec_buff); -+ ERROR("Exec failed: %s", exec_buff); - ret = -1; - goto out; - } - - status = util_wait_for_pid_status(pid); - if (status < 0) { -- ERROR("failed wait shim-parent %d exit %s", pid, strerror(errno)); -+ ERROR("Failed wait shim-parent %d exit %s", pid, strerror(errno)); - ret = -1; - goto out; - } - -- if (exit_code != NULL) { -- *exit_code = status_to_exit_code(status); -+ *shim_exit_code = status_to_exit_code(status); -+ if (*shim_exit_code != 0) { -+ ERROR("Isulad-shim exit error"); -+ ret = -1; -+ goto out; -+ } -+ -+ if (exit_code == NULL) { -+ goto out; -+ } -+ ret = util_read_nointr(shim_stdout_pipe[0], exit_code, sizeof(int)); -+ close(shim_stdout_pipe[0]); -+ if (ret <= 0) { -+ *exit_code = 137; - } -+ ret = 0; - - out: - if (ret != 0) { -@@ -892,6 +927,7 @@ int rt_isula_create(const char *id, const char *runtime, const rt_create_params_ - int ret = 0; - char workdir[PATH_MAX] = { 0 }; - shim_client_process_state p = { 0 }; -+ int shim_exit_code = 0; - - if (id == NULL || runtime == NULL || params == NULL) { - ERROR("nullptr arguments not allowed"); -@@ -924,7 +960,7 @@ int rt_isula_create(const char *id, const char *runtime, const rt_create_params_ - } - - get_runtime_cmd(runtime, &cmd); -- ret = shim_create(false, id, workdir, params->bundle, cmd, NULL, NULL); -+ ret = shim_create(false, id, workdir, params->bundle, cmd, NULL, NULL, &shim_exit_code); - if (ret != 0) { - runtime_call_delete_force(workdir, runtime, id); - ERROR("%s: failed create shim process", id); -@@ -1125,6 +1161,7 @@ int rt_isula_exec(const char *id, const char *runtime, const rt_exec_params_t *p - int pid = 0; - shim_client_process_state p = { 0 }; - char *timeout = NULL; -+ int shim_exit_code = 0; - - if (id == NULL || runtime == NULL || params == NULL || exit_code == NULL) { - ERROR("nullptr arguments not allowed"); -@@ -1199,13 +1236,13 @@ int rt_isula_exec(const char *id, const char *runtime, const rt_exec_params_t *p - } - } - -- ret = shim_create(fg_exec(params), id, workdir, bundle, cmd, exit_code, timeout); -+ ret = shim_create(fg_exec(params), id, workdir, bundle, cmd, exit_code, timeout, &shim_exit_code); - if (ret != 0) { - ERROR("%s: failed create shim process for exec %s", id, exec_id); - goto errlog_out; - } - -- if (*exit_code == SHIM_EXIT_TIMEOUT) { -+ if (shim_exit_code == SHIM_EXIT_TIMEOUT) { - ret = -1; - isulad_set_error_message("Exec container error;exec timeout"); - ERROR("isulad-shim %d exit for execing timeout", pid); --- -2.25.1 - diff --git a/0011-remove-usage-of-strerror-with-user-defined-errno.patch b/0011-remove-usage-of-strerror-with-user-defined-errno.patch new file mode 100644 index 0000000000000000000000000000000000000000..7626e6ace563716b6ca5635a57e64b1d2e395fdb --- /dev/null +++ b/0011-remove-usage-of-strerror-with-user-defined-errno.patch @@ -0,0 +1,891 @@ +From 16a4b6f334e4e81615a71cf7930158fb1bee5a12 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Wed, 6 Sep 2023 15:05:29 +0800 +Subject: [PATCH 11/32] remove usage of strerror with user defined errno + +Signed-off-by: haozi007 +--- + src/cmd/command_parser.c | 12 ++++++---- + src/cmd/isula/base/create.c | 3 ++- + src/cmd/isula/isula_host_spec.c | 9 ++++--- + src/cmd/isulad/main.c | 8 ++++--- + src/cmd/options/opt_ulimit.c | 6 +++-- + src/daemon/entry/cri/cni_network_plugin.cc | 9 ++++--- + src/daemon/entry/cri/sysctl_tools.c | 14 +++++++---- + .../v1/v1_cri_container_manager_service.cc | 4 ++-- + .../v1/v1_cri_pod_sandbox_manager_service.cc | 3 ++- + src/daemon/executor/network_cb/network_cb.c | 6 +++-- + src/daemon/modules/image/oci/oci_image.c | 6 +++-- + .../oci/storage/image_store/image_store.c | 6 +++-- + .../graphdriver/devmapper/deviceset.c | 19 +++++++++------ + .../storage/layer_store/graphdriver/driver.c | 9 ++++--- + .../graphdriver/overlay2/driver_overlay2.c | 17 ++++++++----- + .../oci/storage/layer_store/layer_store.c | 6 +++-- + .../remote_layer_support/remote_support.c | 6 +++-- + .../oci/storage/rootfs_store/rootfs_store.c | 6 +++-- + .../modules/image/oci/storage/storage.c | 6 +++-- + .../cni_operator/libcni/invoke/libcni_errno.c | 8 ------- + .../cni_operator/libcni/invoke/libcni_errno.h | 2 -- + .../cni_operator/libcni/libcni_cached.c | 3 ++- + .../modules/network/native/adaptor_native.c | 17 ++++++++----- + src/daemon/modules/plugin/plugin.c | 24 ++++++++++++------- + src/daemon/modules/service/service_network.c | 6 ++--- + src/daemon/sandbox/sandbox.cc | 8 ++++--- + src/utils/cutils/network_namespace.c | 3 ++- + src/utils/cutils/utils_file.c | 4 +++- + 28 files changed, 144 insertions(+), 86 deletions(-) + +diff --git a/src/cmd/command_parser.c b/src/cmd/command_parser.c +index ac353b40..1ad1d92b 100644 +--- a/src/cmd/command_parser.c ++++ b/src/cmd/command_parser.c +@@ -546,7 +546,8 @@ int command_convert_u16(command_option_t *option, const char *arg) + } + ret = util_safe_u16(arg, option->data); + if (ret != 0) { +- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, option->large, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, option->large); + return EINVALIDARGS; + } + return 0; +@@ -561,7 +562,8 @@ int command_convert_llong(command_option_t *opt, const char *arg) + } + ret = util_safe_llong(arg, opt->data); + if (ret != 0) { +- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, opt->large, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, opt->large); + return EINVALIDARGS; + } + return 0; +@@ -575,7 +577,8 @@ int command_convert_uint(command_option_t *opt, const char *arg) + } + ret = util_safe_uint(arg, opt->data); + if (ret != 0) { +- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, opt->large, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, opt->large); + return EINVALIDARGS; + } + return 0; +@@ -590,7 +593,8 @@ int command_convert_int(command_option_t *option, const char *arg) + } + ret = util_safe_int(arg, option->data); + if (ret != 0) { +- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, option->large, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, option->large); + return EINVALIDARGS; + } + return 0; +diff --git a/src/cmd/isula/base/create.c b/src/cmd/isula/base/create.c +index aa90c5d6..cd0d4abd 100644 +--- a/src/cmd/isula/base/create.c ++++ b/src/cmd/isula/base/create.c +@@ -2032,7 +2032,8 @@ static int create_check_hugetlbs(const struct client_arguments *args) + } + ret = util_parse_byte_size_string(limit, &limitvalue); + if (ret != 0) { +- COMMAND_ERROR("Invalid hugetlb limit:%s:%s", limit, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Invalid hugetlb limit:%s", limit); + free(dup); + ret = -1; + goto out; +diff --git a/src/cmd/isula/isula_host_spec.c b/src/cmd/isula/isula_host_spec.c +index 9fa08bd2..6f39588d 100644 +--- a/src/cmd/isula/isula_host_spec.c ++++ b/src/cmd/isula/isula_host_spec.c +@@ -66,7 +66,8 @@ static bool parse_restart_policy(const char *policy, host_config_restart_policy + } + nret = util_safe_int(dotpos, &(*rp)->maximum_retry_count); + if (nret != 0) { +- COMMAND_ERROR("Maximum retry count must be an integer: %s", strerror(-nret)); ++ errno = -nret; ++ CMD_SYSERROR("Maximum retry count must be an integer"); + goto cleanup; + } + } +@@ -724,7 +725,8 @@ static host_config_hugetlbs_element *pase_hugetlb_limit(const char *input) + + ret = util_parse_byte_size_string(limit_value, &tconverted); + if (ret != 0 || tconverted < 0) { +- COMMAND_ERROR("Parse limit value: %s failed:%s", limit_value, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Parse limit value: %s failed", limit_value); + goto free_out; + } + limit = (uint64_t)tconverted; +@@ -733,7 +735,8 @@ static host_config_hugetlbs_element *pase_hugetlb_limit(const char *input) + tconverted = 0; + ret = util_parse_byte_size_string(pagesize, &tconverted); + if (ret != 0 || tconverted < 0) { +- COMMAND_ERROR("Parse pagesize error.Invalid hugepage size: %s: %s", pagesize, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Parse pagesize error.Invalid hugepage size: %s", pagesize); + goto free_out; + } + page = (uint64_t)tconverted; +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index 39cde6aa..8369f9e2 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -632,8 +632,9 @@ static int parse_time_duration(const char *value, unsigned int *seconds) + *(num_str + len - 1) = '\0'; + ret = util_safe_uint(num_str, &tmp); + if (ret < 0) { +- ERROR("Illegal unsigned integer: %s", num_str); +- COMMAND_ERROR("Illegal unsigned integer:%s:%s", num_str, strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Illegal unsigned integer: %s", num_str); ++ COMMAND_ERROR("Illegal unsigned integer:%s", num_str); + ret = -1; + goto out; + } +@@ -1407,7 +1408,8 @@ static int create_mount_flock_file(const struct service_arguments *args) + // recreate mount flock file + // and make file uid/gid and permission correct + if (!util_force_remove_file(cleanpath, &err)) { +- ERROR("Failed to delete %s, error: %s. Please delete %s manually.", path, strerror(err), path); ++ errno = err; ++ SYSERROR("Failed to delete %s. Please delete %s manually.", path, path); + return -1; + } + } +diff --git a/src/cmd/options/opt_ulimit.c b/src/cmd/options/opt_ulimit.c +index 55912a16..6853c0d9 100644 +--- a/src/cmd/options/opt_ulimit.c ++++ b/src/cmd/options/opt_ulimit.c +@@ -63,7 +63,8 @@ static int parse_soft_hard_ulimit(const char *val, char **limitvals, size_t limi + // parse soft + ret = util_safe_llong(limitvals[0], &converted); + if (ret < 0) { +- COMMAND_ERROR("Invalid ulimit soft value: \"%s\", parse int64 failed: %s", val, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Invalid ulimit soft value: \"%s\", parse int64 failed", val); + ret = -1; + goto out; + } +@@ -74,7 +75,8 @@ static int parse_soft_hard_ulimit(const char *val, char **limitvals, size_t limi + converted = 0; + ret = util_safe_llong(limitvals[1], &converted); + if (ret < 0) { +- COMMAND_ERROR("Invalid ulimit hard value: \"%s\", parse int64 failed: %s", val, strerror(-ret)); ++ errno = -ret; ++ CMD_SYSERROR("Invalid ulimit hard value: \"%s\", parse int64 failed", val); + ret = -1; + goto out; + } +diff --git a/src/daemon/entry/cri/cni_network_plugin.cc b/src/daemon/entry/cri/cni_network_plugin.cc +index 1c7fea2e..c186d185 100644 +--- a/src/daemon/entry/cri/cni_network_plugin.cc ++++ b/src/daemon/entry/cri/cni_network_plugin.cc +@@ -796,7 +796,8 @@ void CniNetworkPlugin::RLockNetworkMap(Errors &error) + int ret = pthread_rwlock_rdlock(&m_netsLock); + if (ret != 0) { + error.Errorf("Failed to get read lock"); +- ERROR("Get read lock failed: %s", strerror(ret)); ++ errno = ret; ++ SYSERROR("Get read lock failed"); + } + } + +@@ -805,7 +806,8 @@ void CniNetworkPlugin::WLockNetworkMap(Errors &error) + int ret = pthread_rwlock_wrlock(&m_netsLock); + if (ret != 0) { + error.Errorf("Failed to get write lock"); +- ERROR("Get write lock failed: %s", strerror(ret)); ++ errno = ret; ++ SYSERROR("Get write lock failed"); + } + } + +@@ -814,7 +816,8 @@ void CniNetworkPlugin::UnlockNetworkMap(Errors &error) + int ret = pthread_rwlock_unlock(&m_netsLock); + if (ret != 0) { + error.Errorf("Failed to unlock"); +- ERROR("Unlock failed: %s", strerror(ret)); ++ errno = ret; ++ SYSERROR("Unlock failed"); + } + } + +diff --git a/src/daemon/entry/cri/sysctl_tools.c b/src/daemon/entry/cri/sysctl_tools.c +index 847c36e9..ac4fb226 100644 +--- a/src/daemon/entry/cri/sysctl_tools.c ++++ b/src/daemon/entry/cri/sysctl_tools.c +@@ -22,6 +22,8 @@ + #include + #include + ++#include ++ + #include "utils.h" + + int get_sysctl(const char *sysctl, char **err) +@@ -41,14 +43,16 @@ int get_sysctl(const char *sysctl, char **err) + ret = -1; + fd = util_open(fullpath, O_RDONLY, 0); + if (fd < 0) { +- if (asprintf(err, "Open %s failed: %s", sysctl, strerror(errno)) < 0) { ++ SYSWARN("Open %s failed", sysctl); ++ if (asprintf(err, "Open %s failed", sysctl) < 0) { + *err = util_strdup_s("Out of memory"); + } + goto free_out; + } + rsize = util_read_nointr(fd, buff, sizeof(buff) - 1); + if (rsize <= 0) { +- if (asprintf(err, "Read file failed: %s", strerror(errno)) < 0) { ++ SYSWARN("Read file: %s failed", sysctl); ++ if (asprintf(err, "Read file: %s failed", sysctl) < 0) { + *err = util_strdup_s("Out of memory"); + } + goto free_out; +@@ -93,14 +97,16 @@ int set_sysctl(const char *sysctl, int new_value, char **err) + ret = -1; + fd = util_open(fullpath, O_WRONLY, 0); + if (fd < 0) { +- if (asprintf(err, "Open %s failed: %s", sysctl, strerror(errno)) < 0) { ++ SYSWARN("Open %s failed", sysctl); ++ if (asprintf(err, "Open %s failed", sysctl) < 0) { + *err = util_strdup_s("Out of memory"); + } + goto free_out; + } + rsize = util_write_nointr(fd, buff, strlen(buff)); + if (rsize < 0 || (size_t)rsize != strlen(buff)) { +- if (asprintf(err, "Write new value failed: %s", strerror(errno)) < 0) { ++ SYSWARN("Write new value to %s failed", sysctl); ++ if (asprintf(err, "Write new value to %s failed", sysctl) < 0) { + *err = util_strdup_s("Out of memory"); + } + goto free_out; +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index ecb7ffbd..daba21e4 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -497,8 +497,8 @@ void ContainerManagerService::CreateContainerLogSymlink(const std::string &conta + WARN("Deleted previously existing symlink file: %s", path); + } + if (symlink(realPath, path) != 0) { +- error.Errorf("failed to create symbolic link %s to the container log file %s for container %s: %s", path, +- realPath, containerID.c_str(), strerror(errno)); ++ SYSERROR("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str()); ++ error.Errorf("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str()); + goto cleanup; + } + } else { +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index d57338c8..41a02c54 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -429,7 +429,8 @@ void PodSandboxManagerService::ClearCniNetwork(const std::shared_ptrrwlock); + } + if (nret != 0) { +- ERROR("Lock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock memory store failed"); + return false; + } + +@@ -107,7 +108,8 @@ static inline void image_store_unlock() + + nret = pthread_rwlock_unlock(&g_image_store->rwlock); + if (nret != 0) { +- FATAL("Unlock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Unlock memory store failed"); + } + } + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +index 81e53ea7..4f19c26d 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +@@ -107,8 +107,9 @@ static int handle_dm_min_free_space(char *val, struct device_set *devset) + int ret = util_parse_percent_string(val, &converted); + + if (ret != 0 || converted >= 100) { +- ERROR("Invalid min free space: '%s': %s", val, strerror(-ret)); +- isulad_set_error_message("Invalid min free space: '%s': %s", val, strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Invalid min free space: '%s'", val); ++ isulad_set_error_message("Invalid min free space: '%s'", val); + return -1; + } + devset->min_free_space_percent = (uint32_t)converted; +@@ -122,8 +123,9 @@ static int handle_dm_basesize(char *val, struct device_set *devset) + int ret = util_parse_byte_size_string(val, &converted); + + if (ret != 0) { +- ERROR("Invalid size: '%s': %s", val, strerror(-ret)); +- isulad_set_error_message("Invalid size: '%s': %s", val, strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Invalid size: '%s'", val); ++ isulad_set_error_message("Invalid size: '%s'", val); + return -1; + } + if (converted <= 0) { +@@ -2722,7 +2724,8 @@ static int determine_driver_capabilities(const char *version, struct device_set + + ret = util_parse_byte_size_string(tmp_str[0], &major); + if (ret != 0) { +- ERROR("devmapper: invalid size: '%s': %s", tmp_str[0], strerror(-ret)); ++ errno = -ret; ++ SYSERROR("devmapper: invalid size: '%s'", tmp_str[0]); + ret = -1; + goto out; + } +@@ -2742,7 +2745,8 @@ static int determine_driver_capabilities(const char *version, struct device_set + + ret = util_parse_byte_size_string(tmp_str[1], &minor); + if (ret != 0) { +- ERROR("devmapper: invalid size: '%s': %s", tmp_str[1], strerror(-ret)); ++ errno = -ret; ++ SYSERROR("devmapper: invalid size: '%s'", tmp_str[1]); + ret = -1; + goto out; + } +@@ -2915,7 +2919,8 @@ static int parse_storage_opt(const json_map_string_string *opts, uint64_t *size) + + ret = util_parse_byte_size_string(opts->values[i], &converted); + if (ret != 0) { +- ERROR("Invalid size: '%s': %s", opts->values[i], strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Invalid size: '%s'", opts->values[i]); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c +index b83c63b1..b1790af1 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c +@@ -86,7 +86,8 @@ static inline bool driver_rd_lock() + + nret = pthread_rwlock_rdlock(&g_graphdriver->rwlock); + if (nret != 0) { +- ERROR("Lock driver memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock driver memory store failed"); + return false; + } + +@@ -99,7 +100,8 @@ static inline bool driver_wr_lock() + + nret = pthread_rwlock_wrlock(&g_graphdriver->rwlock); + if (nret != 0) { +- ERROR("Lock driver memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock driver memory store failed"); + return false; + } + +@@ -112,7 +114,8 @@ static inline void driver_unlock() + + nret = pthread_rwlock_unlock(&g_graphdriver->rwlock); + if (nret != 0) { +- FATAL("Unlock driver memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Unlock driver memory store failed"); + } + } + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +index b177f594..3b27076c 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +@@ -134,7 +134,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio + int64_t converted = 0; + ret = util_parse_byte_size_string(val, &converted); + if (ret != 0) { +- ERROR("Invalid size: '%s': %s", val, strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Invalid size: '%s'", val); + ret = -1; + goto out; + } +@@ -143,7 +144,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio + int64_t converted = 0; + ret = util_parse_byte_size_string(val, &converted); + if (ret != 0) { +- ERROR("Invalid size: '%s': %s", val, strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Invalid size: '%s'", val); + ret = -1; + goto out; + } +@@ -152,7 +154,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio + bool converted_bool = 0; + ret = util_str_to_bool(val, &converted_bool); + if (ret != 0) { +- ERROR("Invalid bool: '%s': %s", val, strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Invalid bool: '%s'", val); + ret = -1; + goto out; + } +@@ -161,7 +164,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio + bool converted_bool = 0; + ret = util_str_to_bool(val, &converted_bool); + if (ret != 0) { +- ERROR("Invalid bool: '%s': %s", val, strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Invalid bool: '%s'", val); + ret = -1; + goto out; + } +@@ -830,8 +834,9 @@ static int set_layer_quota(const char *dir, const json_map_string_string *opts, + int64_t converted = 0; + ret = util_parse_byte_size_string(opts->values[i], &converted); + if (ret != 0) { +- ERROR("Invalid size: '%s': %s", opts->values[i], strerror(-ret)); +- isulad_set_error_message("Invalid quota size: '%s': %s", opts->values[i], strerror(-ret)); ++ errno = -ret; ++ SYSERROR("Invalid size: '%s'", opts->values[i]); ++ isulad_set_error_message("Invalid quota size: '%s'", opts->values[i]); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +index ddf3a62c..8d8384b8 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +@@ -98,7 +98,8 @@ static inline bool layer_store_lock(bool writable) + nret = pthread_rwlock_rdlock(&g_metadata.rwlock); + } + if (nret != 0) { +- ERROR("Lock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock memory store failed"); + return false; + } + +@@ -111,7 +112,8 @@ static inline void layer_store_unlock() + + nret = pthread_rwlock_unlock(&g_metadata.rwlock); + if (nret != 0) { +- FATAL("Unlock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Unlock memory store failed"); + } + } + +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c +index 400678c4..1bac8dd5 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c +@@ -39,7 +39,8 @@ static inline bool remote_refresh_lock(pthread_rwlock_t *remote_lock, bool writa + nret = pthread_rwlock_rdlock(remote_lock); + } + if (nret != 0) { +- ERROR("Lock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock memory store failed"); + return false; + } + +@@ -52,7 +53,8 @@ static inline void remote_refresh_unlock(pthread_rwlock_t *remote_lock) + + nret = pthread_rwlock_unlock(remote_lock); + if (nret != 0) { +- FATAL("Unlock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Unlock memory store failed"); + } + } + +diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c +index 1c5d2d84..ee1e15d0 100644 +--- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c ++++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c +@@ -69,7 +69,8 @@ static inline bool rootfs_store_lock(enum lock_type type) + } + + if (nret != 0) { +- ERROR("Lock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock memory store failed"); + return false; + } + +@@ -82,7 +83,8 @@ static inline void rootfs_store_unlock() + + nret = pthread_rwlock_unlock(&g_rootfs_store->rwlock); + if (nret != 0) { +- FATAL("Unlock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Unlock memory store failed"); + } + } + +diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c +index d5e79207..aa442ecf 100644 +--- a/src/daemon/modules/image/oci/storage/storage.c ++++ b/src/daemon/modules/image/oci/storage/storage.c +@@ -61,7 +61,8 @@ static inline bool storage_lock(pthread_rwlock_t *store_lock, bool writable) + nret = pthread_rwlock_rdlock(store_lock); + } + if (nret != 0) { +- ERROR("Lock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock memory store failed"); + return false; + } + +@@ -74,7 +75,8 @@ static inline void storage_unlock(pthread_rwlock_t *store_lock) + + nret = pthread_rwlock_unlock(store_lock); + if (nret != 0) { +- FATAL("Unlock memory store failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Unlock memory store failed"); + } + } + +diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c +index efdcfbc7..977f9fbb 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c ++++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c +@@ -30,14 +30,6 @@ const char * const g_INVOKE_ERR_MSGS[] = { + "Success" + }; + +-const char *get_invoke_err_msg(int errcode) +-{ +- if (errcode > (int)INK_ERR_MIN && errcode <= (int)INK_ERR_SUCCESS) { +- return g_INVOKE_ERR_MSGS[errcode - (int)INK_ERR_MIN]; +- } +- return strerror(errcode); +-} +- + const char * const g_CNI_WELL_KNOWN_ERR_MSGS[] = { + /* 0 */ + "Success", +diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h +index 9f63e5f5..236bc6ef 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h ++++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h +@@ -43,8 +43,6 @@ enum CNI_CUSTOM_ERROR { + CUSTOM_ERR_MAX, // max flag + }; + +-const char *get_invoke_err_msg(int errcode); +- + enum CNI_WELL_KNOW_ERROR { + CNI_ERR_UNKNOW = 0, + CNI_ERR_INCOMPATIBLE_CNI_VERSION, +diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c b/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c +index 63ee6e10..17de527e 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c ++++ b/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c +@@ -276,7 +276,8 @@ int cni_cache_delete(const char *cache_dir, const char *net_name, const struct r + } + + if (!util_force_remove_file(file_path, &get_err)) { +- ERROR("Failed to delete %s, error: %s", file_path, strerror(get_err)); ++ errno = get_err; ++ SYSERROR("Failed to delete %s.", file_path); + } + + free(file_path); +diff --git a/src/daemon/modules/network/native/adaptor_native.c b/src/daemon/modules/network/native/adaptor_native.c +index 8bc386d1..8d403442 100644 +--- a/src/daemon/modules/network/native/adaptor_native.c ++++ b/src/daemon/modules/network/native/adaptor_native.c +@@ -86,7 +86,8 @@ static inline bool native_store_lock(enum lock_type type) + nret = pthread_rwlock_wrlock(&g_store.rwlock); + } + if (nret != 0) { +- ERROR("Lock network list failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock network list failed"); + return false; + } + +@@ -99,7 +100,8 @@ static inline void native_store_unlock() + + nret = pthread_rwlock_unlock(&g_store.rwlock); + if (nret != 0) { +- FATAL("Unlock network list failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Unlock network list failed"); + } + } + +@@ -113,7 +115,8 @@ static inline void native_network_lock(enum lock_type type, native_network *netw + nret = pthread_rwlock_wrlock(&network->rwlock); + } + if (nret != 0) { +- ERROR("Lock network list failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Lock network list failed"); + } + } + +@@ -123,7 +126,8 @@ static inline void native_network_unlock(native_network *network) + + nret = pthread_rwlock_unlock(&network->rwlock); + if (nret != 0) { +- FATAL("Unlock network list failed: %s", strerror(nret)); ++ errno = nret; ++ SYSERROR("Unlock network list failed"); + } + } + +@@ -1944,8 +1948,9 @@ int native_config_remove(const char *name, char **res_name) + WARN("Failed to get %s file path", network->conflist->list->name); + isulad_append_error_message("Failed to get %s file path. ", network->conflist->list->name); + } else if (!util_force_remove_file(path, &get_err)) { +- WARN("Failed to delete %s, error: %s", path, strerror(get_err)); +- isulad_append_error_message("Failed to delete %s, error: %s. ", path, strerror(get_err)); ++ errno = get_err; ++ SYSWARN("Failed to delete %s.", path); ++ isulad_append_error_message("Failed to delete %s.", path); + } + + if (!map_remove(g_store.name_to_network, (void *)network->conflist->list->name)) { +diff --git a/src/daemon/modules/plugin/plugin.c b/src/daemon/modules/plugin/plugin.c +index b4d78dc9..c42cfd21 100644 +--- a/src/daemon/modules/plugin/plugin.c ++++ b/src/daemon/modules/plugin/plugin.c +@@ -409,7 +409,8 @@ static void pm_rdlock(void) + + errcode = pthread_rwlock_rdlock(&g_plugin_manager->pm_rwlock); + if (errcode != 0) { +- ERROR("Read lock failed: %s", strerror(errcode)); ++ errno = errcode; ++ SYSERROR("Read lock failed"); + } + } + +@@ -419,7 +420,8 @@ static void pm_wrlock(void) + + errcode = pthread_rwlock_wrlock(&g_plugin_manager->pm_rwlock); + if (errcode != 0) { +- ERROR("Write lock failed: %s", strerror(errcode)); ++ errno = errcode; ++ SYSERROR("Write lock failed"); + } + } + +@@ -429,7 +431,8 @@ static void pm_unlock(void) + + errcode = pthread_rwlock_unlock(&g_plugin_manager->pm_rwlock); + if (errcode != 0) { +- ERROR("Unlock failed: %s", strerror(errcode)); ++ errno = errcode; ++ SYSERROR("Unlock failed"); + } + } + +@@ -659,7 +662,8 @@ static void *plugin_manager_routine(void *arg) + + errcode = pthread_detach(pthread_self()); + if (errcode != 0) { +- ERROR("Detach thread failed: %s", strerror(errcode)); ++ errno = errcode; ++ SYSERROR("Detach thread failed"); + return NULL; + } + if (pm_init() < 0) { +@@ -716,7 +720,8 @@ static void plugin_rdlock(plugin_t *plugin) + + errcode = pthread_rwlock_rdlock(&plugin->lock); + if (errcode != 0) { +- ERROR("Plugin read lock failed: %s", strerror(errcode)); ++ errno = errcode; ++ SYSERROR("Plugin read lock failed"); + } + } + +@@ -726,7 +731,8 @@ static void plugin_wrlock(plugin_t *plugin) + + errcode = pthread_rwlock_wrlock(&plugin->lock); + if (errcode != 0) { +- ERROR("Plugin write lock failed: %s", strerror(errcode)); ++ errno = errcode; ++ SYSERROR("Plugin write lock failed"); + } + } + +@@ -736,7 +742,8 @@ static void plugin_unlock(plugin_t *plugin) + + errcode = pthread_rwlock_unlock(&plugin->lock); + if (errcode != 0) { +- ERROR("Plugin unlock failed: %s", strerror(errcode)); ++ errno = errcode; ++ SYSERROR("Plugin unlock failed"); + } + } + +@@ -758,7 +765,8 @@ plugin_t *plugin_new(const char *name, const char *addr) + + errcode = pthread_rwlock_init(&plugin->lock, NULL); + if (errcode != 0) { +- ERROR("Plugin init lock failed: %s", strerror(errcode)); ++ errno = errcode; ++ SYSERROR("Plugin init lock failed"); + goto bad; + } + plugin->name = util_strdup_s(name); +diff --git a/src/daemon/modules/service/service_network.c b/src/daemon/modules/service/service_network.c +index 5502bcbd..6754cf1a 100644 +--- a/src/daemon/modules/service/service_network.c ++++ b/src/daemon/modules/service/service_network.c +@@ -962,7 +962,7 @@ static int do_update_internal_file(const char *id, const char *file_path, + ret = 0; + } else { + SYSERROR("Failed to write file %s", file_path); +- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); ++ isulad_set_error_message("Failed to write file %s", file_path); + ret = -1; + } + +@@ -1180,7 +1180,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de + goto out; + } else { + SYSERROR("Failed to open %s", file_path); +- isulad_set_error_message("Failed to open %s: %s", file_path, strerror(errno)); ++ isulad_set_error_message("Failed to open %s", file_path); + ret = -1; + goto out; + } +@@ -1213,7 +1213,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de + ret = util_write_file(file_path, str, strlen(str), NETWORK_MOUNT_FILE_MODE); + if (ret != 0) { + SYSERROR("Failed to write file %s", file_path); +- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); ++ isulad_set_error_message("Failed to write file %s", file_path); + goto out; + } + +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index d3fc7eea..1723e95e 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -817,7 +817,8 @@ auto Sandbox::SaveState(Errors &error) -> bool + + nret = util_atomic_write_file(path.c_str(), stateJson.c_str(), stateJson.length(), CONFIG_FILE_MODE, false); + if (nret != 0) { +- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno)); ++ SYSERROR("Failed to write file %s"); ++ error.Errorf("Failed to write file %s", path.c_str()); + return false; + } + +@@ -834,7 +835,7 @@ auto Sandbox::SaveNetworkSetting(Errors &error) -> bool + false); + if (nret != 0) { + SYSERROR("Failed to write file %s", path.c_str()); +- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno)); ++ error.Errorf("Failed to write file %s", path.c_str()); + return false; + } + +@@ -877,7 +878,8 @@ auto Sandbox::SaveMetadata(Errors &error) -> bool + + nret = util_atomic_write_file(path.c_str(), metadataJson.c_str(), metadataJson.length(), CONFIG_FILE_MODE, false); + if (nret != 0) { +- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno)); ++ SYSERROR("Failed to write file %s", path.c_str()); ++ error.Errorf("Failed to write file %s", path.c_str()); + return false; + } + return true; +diff --git a/src/utils/cutils/network_namespace.c b/src/utils/cutils/network_namespace.c +index 0e225d9b..c9838104 100644 +--- a/src/utils/cutils/network_namespace.c ++++ b/src/utils/cutils/network_namespace.c +@@ -231,7 +231,8 @@ int remove_network_namespace_file(const char *netns_path) + } + + if (!util_force_remove_file(netns_path, &get_err)) { +- ERROR("Failed to remove file %s, error: %s", netns_path, strerror(get_err)); ++ errno = get_err; ++ SYSERROR("Failed to remove file %s", netns_path); + return -1; + } + +diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c +index bc22ee95..1a148b0b 100644 +--- a/src/utils/cutils/utils_file.c ++++ b/src/utils/cutils/utils_file.c +@@ -1061,7 +1061,9 @@ char *look_path(const char *file, char **err) + if (en == 0) { + return util_strdup_s(file); + } +- if (asprintf(err, "find exec %s : %s", file, strerror(en)) < 0) { ++ errno = en; ++ SYSERROR("find exec %s failed", file); ++ if (asprintf(err, "find exec %s failed", file) < 0) { + *err = util_strdup_s("Out of memory"); + } + return NULL; +-- +2.25.1 + diff --git a/0012-fix-hugetlbs-malloc-length.patch b/0012-fix-hugetlbs-malloc-length.patch deleted file mode 100644 index 6d8c538f040b14c5aac6a026b1b2c45abb3e1434..0000000000000000000000000000000000000000 --- a/0012-fix-hugetlbs-malloc-length.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 069a36a0fbd5202ca6cf0d34550381b3bf1e3eb2 Mon Sep 17 00:00:00 2001 -From: zhangxiaoyu -Date: Sat, 27 May 2023 17:10:55 +0800 -Subject: [PATCH 12/15] fix hugetlbs malloc length - -Signed-off-by: zhangxiaoyu ---- - src/cmd/isulad-shim/common.c | 5 ++++- - src/daemon/modules/service/inspect_container.c | 2 +- - src/utils/cutils/utils.c | 5 ++++- - 3 files changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/cmd/isulad-shim/common.c b/src/cmd/isulad-shim/common.c -index 3787cdfb..7fa3c836 100644 ---- a/src/cmd/isulad-shim/common.c -+++ b/src/cmd/isulad-shim/common.c -@@ -381,7 +381,10 @@ void util_usleep_nointerupt(unsigned long usec) - - void *util_smart_calloc_s(size_t unit_size, size_t count) - { -- if (unit_size == 0) { -+ // If count or size is 0, -+ // then calloc() returns either NULL, -+ // or a unique pointer value that can later be successfully passed to free() -+ if (unit_size == 0 || count == 0) { - return NULL; - } - -diff --git a/src/daemon/modules/service/inspect_container.c b/src/daemon/modules/service/inspect_container.c -index b1050bc7..40cf7aa1 100644 ---- a/src/daemon/modules/service/inspect_container.c -+++ b/src/daemon/modules/service/inspect_container.c -@@ -751,7 +751,7 @@ static int pack_inspect_resources(const container_t *cont, container_inspect *in - resources->memory = cont->hostconfig->memory; - resources->memory_swap = cont->hostconfig->memory_swap; - resources->hugetlbs = util_smart_calloc_s(sizeof(container_inspect_resources_hugetlbs_element *), -- resources->hugetlbs_len); -+ cont->hostconfig->hugetlbs_len); - if (resources->hugetlbs == NULL) { - ERROR("Out of memory"); - ret = -1; -diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c -index 3500d8f8..103c7c5b 100644 ---- a/src/utils/cutils/utils.c -+++ b/src/utils/cutils/utils.c -@@ -253,7 +253,10 @@ int util_sig_parse(const char *sig_name) - - void *util_smart_calloc_s(size_t unit_size, size_t count) - { -- if (unit_size == 0) { -+ // If count or size is 0, -+ // then calloc() returns either NULL, -+ // or a unique pointer value that can later be successfully passed to free() -+ if (unit_size == 0 || count == 0) { - return NULL; - } - --- -2.25.1 - diff --git a/0012-use-gmtime_r-to-replace-gmtime.patch b/0012-use-gmtime_r-to-replace-gmtime.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc371a6eb11c82fc81fce80846f6072fa7cd16b1 --- /dev/null +++ b/0012-use-gmtime_r-to-replace-gmtime.patch @@ -0,0 +1,71 @@ +From ec04faff6fba052b5bb4ed0b090ae441f888ce5c Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Wed, 6 Sep 2023 16:31:19 +0800 +Subject: [PATCH 12/32] use gmtime_r to replace gmtime + +Signed-off-by: haozi007 +--- + src/utils/cutils/utils_timestamp.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/src/utils/cutils/utils_timestamp.c b/src/utils/cutils/utils_timestamp.c +index fee66ea8..8ae9e42a 100644 +--- a/src/utils/cutils/utils_timestamp.c ++++ b/src/utils/cutils/utils_timestamp.c +@@ -652,9 +652,9 @@ int64_t util_time_seconds_since(const char *in) + int32_t nanos = 0; + int64_t result = 0; + struct tm tm = { 0 }; +- struct tm *currentm = NULL; + struct types_timezone tz = { 0 }; + time_t currentime; ++ struct tm result_time = { 0 }; + + if (in == NULL || !strcmp(in, defaultContainerTime) || !strcmp(in, "-")) { + return 0; +@@ -666,13 +666,12 @@ int64_t util_time_seconds_since(const char *in) + } + + time(¤time); +- currentm = gmtime(¤time); +- if (currentm == NULL) { ++ if (gmtime_r(¤time, &result_time) == NULL) { + ERROR("Get time error"); + return 0; + } + +- result = get_minmus_time(currentm, &tm); ++ result = get_minmus_time(&result_time, &tm); + result = result + (int64_t)tz.hour * 3600 + (int64_t)tz.min * 60; + + if (result > 0) { +@@ -871,9 +870,9 @@ int util_time_format_duration(const char *in, char *out, size_t len) + int32_t nanos = 0; + int64_t result = 0; + struct tm tm = { 0 }; +- struct tm *currentm = NULL; + struct types_timezone tz = { 0 }; + time_t currentime = { 0 }; ++ struct tm result_time = { 0 }; + + if (out == NULL) { + return -1; +@@ -888,13 +887,12 @@ int util_time_format_duration(const char *in, char *out, size_t len) + } + + time(¤time); +- currentm = gmtime(¤time); +- if (currentm == NULL) { ++ if (gmtime_r(¤time, &result_time) == NULL) { + ERROR("Get time error"); + return -1; + } + +- result = get_minmus_time(currentm, &tm); ++ result = get_minmus_time(&result_time, &tm); + result = result + (int64_t)tz.hour * 3600 + (int64_t)tz.min * 60; + + if (result < 0 || !time_human_duration(result, out, len)) { +-- +2.25.1 + diff --git a/0013-fix-forget-to-set-return-value.patch b/0013-fix-forget-to-set-return-value.patch deleted file mode 100644 index 5aaeb39d1537f5c8f0b038c3ab7c4e8827b30d47..0000000000000000000000000000000000000000 --- a/0013-fix-forget-to-set-return-value.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 165912f5f5a8346613f75ec16c4c5b2aeb7e81e7 Mon Sep 17 00:00:00 2001 -From: "Neil.wrz" -Date: Sat, 27 May 2023 02:44:46 -0700 -Subject: [PATCH 13/15] fix forget to set return value - -Signed-off-by: Neil.wrz ---- - .../image/oci/storage/remote_layer_support/ro_symlink_maintain.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c b/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -index 2bcc43e6..4d234aab 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -@@ -135,6 +135,7 @@ static int do_build_ro_dir(const char *home, const char *id) - - nret = asprintf(&ro_layer_dir, "%s/%s/%s", home, REMOTE_RO_LAYER_DIR, id); - if (nret < 0 || nret > PATH_MAX) { -+ ret = -1; - SYSERROR("Failed to create ro layer dir path"); - goto out; - } --- -2.25.1 - diff --git a/0013-improve-report-error-message-of-client.patch b/0013-improve-report-error-message-of-client.patch new file mode 100644 index 0000000000000000000000000000000000000000..e8846deea4ed02fc581d92eed92daee743d0c88b --- /dev/null +++ b/0013-improve-report-error-message-of-client.patch @@ -0,0 +1,72 @@ +From a446152d676cf5616784e3f8f80dea8fd2ac221a Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Thu, 7 Sep 2023 14:34:01 +0800 +Subject: [PATCH 13/32] improve report error message of client + +Signed-off-by: haozi007 +--- + src/daemon/executor/container_cb/execution_stream.c | 4 ++-- + src/daemon/modules/service/service_container.c | 2 +- + src/utils/tar/isulad_tar.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c +index aae9c234..7db96b19 100644 +--- a/src/daemon/executor/container_cb/execution_stream.c ++++ b/src/daemon/executor/container_cb/execution_stream.c +@@ -536,7 +536,7 @@ static container_path_stat *do_container_stat_path(const char *rootpath, const c + nret = lstat(resolvedpath, &st); + if (nret < 0) { + SYSERROR("lstat %s failed.", resolvedpath); +- isulad_set_error_message("lstat %s failed.", resolvedpath); ++ isulad_set_error_message("Check %s failed, get more information from log.", resolvedpath); + goto cleanup; + } + +@@ -922,7 +922,7 @@ static int copy_to_container_check_path_valid(const container_t *cont, const cha + nret = lstat(resolvedpath, &st); + if (nret < 0) { + SYSERROR("lstat %s failed", resolvedpath); +- isulad_set_error_message("lstat %s failed", resolvedpath); ++ isulad_set_error_message("Check %s failed, get more information from log.", resolvedpath); + goto cleanup; + } + +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 370ba059..83d82201 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -596,7 +596,7 @@ static int valid_mount_point(container_config_v2_common_config_mount_points_elem + + if (lstat(mp->source, &st) != 0) { + SYSERROR("lstat %s failed", mp->source); +- isulad_set_error_message("lstat %s failed", mp->source); ++ isulad_set_error_message("Check %s failed, get more information from log.", mp->source); + return -1; + } + +diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c +index bffbb43b..2e61d823 100644 +--- a/src/utils/tar/isulad_tar.c ++++ b/src/utils/tar/isulad_tar.c +@@ -192,7 +192,7 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li + nret = lstat(resolved_path, &st); + if (nret < 0) { + SYSERROR("lstat %s failed", resolved_path); +- format_errorf(err, "lstat %s failed", resolved_path); ++ format_errorf(err, "Check %s failed, get more information from log.", resolved_path); + goto cleanup; + } + +@@ -429,7 +429,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, const char + + if (lstat(path, &st) < 0) { + SYSERROR("lstat %s failed", path); +- format_errorf(err, "lstat %s failed", path); ++ format_errorf(err, "Check %s failed, get more information from log.", path); + return -1; + } + if (util_split_path_dir_entry(path, &srcdir, &srcbase) < 0) { +-- +2.25.1 + diff --git a/0014-adapt-new-error-message-for-isula-cp.patch b/0014-adapt-new-error-message-for-isula-cp.patch new file mode 100644 index 0000000000000000000000000000000000000000..4fbf3a537c153b9b4bd141832df61b45890700c9 --- /dev/null +++ b/0014-adapt-new-error-message-for-isula-cp.patch @@ -0,0 +1,43 @@ +From aba6d26fe34b3bea5964bca25f081a240312f08b Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Thu, 7 Sep 2023 14:41:48 +0800 +Subject: [PATCH 14/32] adapt new error message for isula cp + +Signed-off-by: haozi007 +--- + CI/test_cases/container_cases/cp.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/CI/test_cases/container_cases/cp.sh b/CI/test_cases/container_cases/cp.sh +index 7bec9170..e60ccbc2 100755 +--- a/CI/test_cases/container_cases/cp.sh ++++ b/CI/test_cases/container_cases/cp.sh +@@ -57,10 +57,10 @@ test_cp_file_from_container() + fi + rm -rf $dstfile + +- isula cp $containername:/etc/../etc/passwd/ $cpfiles 2>&1 | grep "Not a directory" ++ isula cp $containername:/etc/../etc/passwd/ $cpfiles 2>&1 | grep "get more information from log" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) + +- isula cp $containername:/etc/nonexists $cpfiles 2>&1 | grep "No such file or directory" ++ isula cp $containername:/etc/nonexists $cpfiles 2>&1 | grep "get more information from log" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) + + dstfile=$cpfiles/etc +@@ -146,10 +146,10 @@ test_cp_file_to_container() + isula cp /etc/passwd $containername:$cpfiles/nonexists/ 2>&1 | grep "no such directory" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) + +- isula cp /etc/passwd $containername:$cpfiles/nonexists/nonexists 2>&1 | grep "No such file or directory" ++ isula cp /etc/passwd $containername:$cpfiles/nonexists/nonexists 2>&1 | grep "get more information from log" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) + +- isula cp /etc/nonexists $containername:$cpfiles 2>&1 | grep "No such file or directory" ++ isula cp /etc/nonexists $containername:$cpfiles 2>&1 | grep "get more information from log" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) + rm -rf $dstfile + +-- +2.25.1 + diff --git a/0014-ensure-define-in-local-and-use-correctly-type.patch b/0014-ensure-define-in-local-and-use-correctly-type.patch deleted file mode 100644 index 8a48d49b459b0aae68bd775d484db174b7f67e84..0000000000000000000000000000000000000000 --- a/0014-ensure-define-in-local-and-use-correctly-type.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 1f71bbfb6ac54d0e8c4c4a4b9cf669301939dc65 Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Sat, 27 May 2023 10:18:40 +0800 -Subject: [PATCH 14/15] ensure define in local and use correctly type - -Signed-off-by: haozi007 ---- - src/cmd/isula/volume/prune.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/cmd/isula/volume/prune.c b/src/cmd/isula/volume/prune.c -index 2a3bca3e..c8d632ed 100644 ---- a/src/cmd/isula/volume/prune.c -+++ b/src/cmd/isula/volume/prune.c -@@ -85,7 +85,6 @@ int cmd_volume_prune_main(int argc, const char **argv) - command_t cmd; - char **volumes = NULL; - size_t volumes_len = 0; -- char ch = 'n'; - struct command_option options[] = { LOG_OPTIONS(lconf) COMMON_OPTIONS(g_cmd_volume_prune_args) - PRUNE_OPTIONS(g_cmd_volume_prune_args) - }; -@@ -113,6 +112,7 @@ int cmd_volume_prune_main(int argc, const char **argv) - } - - if (!g_cmd_volume_prune_args.force) { -+ int ch; - printf("WARNING! This will remove all local volumes not used by at least one container.\n"); - printf("Are you sure you want to continue? [y/N]"); - ch = getchar(); --- -2.25.1 - diff --git a/0015-2182-Add-mutex-for-container-list-in-sandbox.patch b/0015-2182-Add-mutex-for-container-list-in-sandbox.patch new file mode 100644 index 0000000000000000000000000000000000000000..75edc0465fdaba35a5b10b4d70b66e7290e857b4 --- /dev/null +++ b/0015-2182-Add-mutex-for-container-list-in-sandbox.patch @@ -0,0 +1,58 @@ +From dcceff17d6c2e1c97cb18c65260edfd2d6a3a60a Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Tue, 12 Sep 2023 03:20:33 +0000 +Subject: [PATCH 15/32] !2182 Add mutex for container list in sandbox * Add + mutex for container list in sandbox + +--- + src/daemon/sandbox/sandbox.cc | 4 ++++ + src/daemon/sandbox/sandbox.h | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index 1723e95e..f391e809 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -131,6 +131,7 @@ auto Sandbox::GetRuntimeHandle() const -> const std::string & + + auto Sandbox::GetContainers() -> std::vector + { ++ ReadGuard lock(m_containersMutex); + return m_containers; + } + +@@ -394,16 +395,19 @@ void Sandbox::RemoveLabels(const std::string &key) + + void Sandbox::AddContainer(const std::string &id) + { ++ WriteGuard lock(m_containersMutex); + m_containers.push_back(id); + } + + void Sandbox::SetConatiners(const std::vector &cons) + { ++ WriteGuard lock(m_containersMutex); + m_containers = cons; + } + + void Sandbox::RemoveContainer(const std::string &id) + { ++ WriteGuard lock(m_containersMutex); + auto it = std::find(m_containers.begin(), m_containers.end(), id); + if (it != m_containers.end()) { + m_containers.erase(it); +diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h +index 0f135e70..89350131 100644 +--- a/src/daemon/sandbox/sandbox.h ++++ b/src/daemon/sandbox/sandbox.h +@@ -200,6 +200,7 @@ private: + std::string m_networkSettings; + // container id lists + std::vector m_containers; ++ RWMutex m_containersMutex; + // TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly + // if save json string directly for sandbox recover, we need to consider hot + // upgrade between different CRI versions +-- +2.25.1 + diff --git a/0015-Revert-the-changes-in-util_smart_calloc_s.patch b/0015-Revert-the-changes-in-util_smart_calloc_s.patch deleted file mode 100644 index 7de6c4570d6274e5b5aab0c404daaf8fe97359e1..0000000000000000000000000000000000000000 --- a/0015-Revert-the-changes-in-util_smart_calloc_s.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 57ed3f3f177f0ffad972edda4cfec049f87fb153 Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Mon, 29 May 2023 16:19:38 +0800 -Subject: [PATCH 15/15] Revert the changes in util_smart_calloc_s - -Signed-off-by: xuxuepeng ---- - src/cmd/isulad-shim/common.c | 11 +++++++---- - src/utils/cutils/utils.c | 11 +++++++---- - 2 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/cmd/isulad-shim/common.c b/src/cmd/isulad-shim/common.c -index 7fa3c836..fc4f6035 100644 ---- a/src/cmd/isulad-shim/common.c -+++ b/src/cmd/isulad-shim/common.c -@@ -381,10 +381,7 @@ void util_usleep_nointerupt(unsigned long usec) - - void *util_smart_calloc_s(size_t unit_size, size_t count) - { -- // If count or size is 0, -- // then calloc() returns either NULL, -- // or a unique pointer value that can later be successfully passed to free() -- if (unit_size == 0 || count == 0) { -+ if (unit_size == 0) { - return NULL; - } - -@@ -392,6 +389,12 @@ void *util_smart_calloc_s(size_t unit_size, size_t count) - return NULL; - } - -+ // If count or size is 0, -+ // then calloc() returns either NULL, -+ // or a unique pointer value that can later be successfully passed to free() -+ // In current linux implementation, if the size for memory allocation is 0, -+ // then a unique pointer value is returned. If the return value is Null pointer, -+ // it means out of memory. - return calloc(count, unit_size); - } - -diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c -index 103c7c5b..1e17853a 100644 ---- a/src/utils/cutils/utils.c -+++ b/src/utils/cutils/utils.c -@@ -253,10 +253,7 @@ int util_sig_parse(const char *sig_name) - - void *util_smart_calloc_s(size_t unit_size, size_t count) - { -- // If count or size is 0, -- // then calloc() returns either NULL, -- // or a unique pointer value that can later be successfully passed to free() -- if (unit_size == 0 || count == 0) { -+ if (unit_size == 0 ) { - return NULL; - } - -@@ -264,6 +261,12 @@ void *util_smart_calloc_s(size_t unit_size, size_t count) - return NULL; - } - -+ // If count or size is 0, -+ // then calloc() returns either NULL, -+ // or a unique pointer value that can later be successfully passed to free() -+ // In current linux implementation, if the size for memory allocation is 0, -+ // then a unique pointer value is returned. If the return value is Null pointer, -+ // it means out of memory. - return calloc(count, unit_size); - } - --- -2.25.1 - diff --git a/0016-2180-fix-execlp-not-enough-args.patch b/0016-2180-fix-execlp-not-enough-args.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b9359896b4fedcce1f47cfdfd5a2b2b99b43dad --- /dev/null +++ b/0016-2180-fix-execlp-not-enough-args.patch @@ -0,0 +1,54 @@ +From e9c0fb3c72bd102f24afe247bb545df210fa9aee Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Tue, 12 Sep 2023 03:55:17 +0000 +Subject: [PATCH 16/32] !2180 fix execlp not enough args * fix execlp not + enough args + +--- + cmake/set_build_flags.cmake | 2 +- + test/fuzz/CMakeLists.txt | 2 +- + test/image/oci/oci_ut_common.cc | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/cmake/set_build_flags.cmake b/cmake/set_build_flags.cmake +index ba250cdc..09c85c65 100644 +--- a/cmake/set_build_flags.cmake ++++ b/cmake/set_build_flags.cmake +@@ -3,7 +3,7 @@ set(CMAKE_C_FLAGS "-fPIC -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -fP + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'") + + if (GRPC_CONNECTOR) +- set(CMAKE_CXX_FLAGS "-fPIC -std=c++11 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations") ++ set(CMAKE_CXX_FLAGS "-fPIC -std=c++17 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'") + endif() + set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -shared -pthread") +diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt +index 478a4012..617a168f 100644 +--- a/test/fuzz/CMakeLists.txt ++++ b/test/fuzz/CMakeLists.txt +@@ -34,7 +34,7 @@ MESSAGE(STATUS "GCLANG_PP_BINARY is set to ${GCLANG_PP_BINARY}") + SET(CMAKE_C_COMPILER "${GCLANG_BINARY}") + SET(CMAKE_CXX_COMPILER "${GCLANG_PP_BINARY}") + SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 --coverage -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") +-SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++11 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") ++SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++17 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") + SET(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}) + + SET(EXE0 test_volume_mount_spec_fuzz) +diff --git a/test/image/oci/oci_ut_common.cc b/test/image/oci/oci_ut_common.cc +index 1158ae85..9fa25d1c 100644 +--- a/test/image/oci/oci_ut_common.cc ++++ b/test/image/oci/oci_ut_common.cc +@@ -22,7 +22,7 @@ + + int execvp_success(const char *file, char * const argv[]) + { +- execlp("echo", "echo"); ++ execlp("echo", "echo", NULL); + return -1; + } + +-- +2.25.1 + diff --git a/0017-2135-modify-incorrect-variable-type.patch b/0017-2135-modify-incorrect-variable-type.patch new file mode 100644 index 0000000000000000000000000000000000000000..49c1ce6a0eae973f7b43d66cb715884a210fe864 --- /dev/null +++ b/0017-2135-modify-incorrect-variable-type.patch @@ -0,0 +1,200 @@ +From e7f21e04b8710ec60045ba26ebdda5ce8a0c0f09 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 28 Aug 2023 06:46:10 +0000 +Subject: [PATCH 17/32] !2135 modify incorrect variable type * modify incorrect + variable type + +--- + src/client/connect/protocol_type.h | 2 +- + src/daemon/modules/image/oci/oci_load.c | 4 ++-- + src/daemon/modules/image/oci/registry/registry.c | 12 +++++++----- + .../oci/storage/layer_store/graphdriver/driver.c | 2 +- + .../image/oci/storage/layer_store/layer_store.c | 15 +++++++++------ + src/daemon/modules/image/oci/storage/storage.c | 2 +- + src/daemon/modules/image/oci/utils_images.c | 4 ++-- + src/daemon/modules/service/service_container.c | 2 +- + 8 files changed, 24 insertions(+), 19 deletions(-) + +diff --git a/src/client/connect/protocol_type.h b/src/client/connect/protocol_type.h +index 62d27c91..4206c50b 100644 +--- a/src/client/connect/protocol_type.h ++++ b/src/client/connect/protocol_type.h +@@ -244,7 +244,7 @@ typedef struct container_events_format { + char *opt; + char *id; + char **annotations; +- char annotations_len; ++ size_t annotations_len; + } container_events_format_t; + + typedef void (*container_events_callback_t)(const container_events_format_t *event); +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index 5511a70c..5e062d44 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -164,7 +164,7 @@ static void oci_load_free_layer(load_layer_blob_t *l) + + static void oci_load_free_image(load_image_t *im) + { +- int i = 0; ++ size_t i = 0; + + if (im == NULL) { + return; +@@ -406,7 +406,7 @@ out: + + static int check_time_valid(oci_image_spec *conf) + { +- int i = 0; ++ size_t i = 0; + + if (!oci_valid_time(conf->created)) { + ERROR("Invalid created time %s", conf->created); +diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c +index 5c660bc9..e0b46e2e 100644 +--- a/src/daemon/modules/image/oci/registry/registry.c ++++ b/src/daemon/modules/image/oci/registry/registry.c +@@ -655,18 +655,20 @@ static int register_layer(pull_descriptor *desc, size_t i) + + static int get_top_layer_index(pull_descriptor *desc, size_t *top_layer_index) + { +- int i = 0; ++ size_t i; + + if (desc == NULL || top_layer_index == NULL) { + ERROR("Invalid NULL pointer"); + return -1; + } +- +- for (i = desc->layers_len - 1; i >= 0; i--) { +- if (desc->layers[i].empty_layer) { ++ // iterate over the layers array in reverse order, starting from the last layer ++ // since i is an unsigned number, i traverses from layers_len to 1 ++ for (i = desc->layers_len; i > 0; i--) { ++ // the corresponding array index is [i - 1]: layers_len - 1 -> 0 ++ if (desc->layers[i - 1].empty_layer) { + continue; + } +- *top_layer_index = i; ++ *top_layer_index = i - 1; + return 0; + } + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c +index b1790af1..fc2857b6 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c +@@ -345,7 +345,7 @@ int graphdriver_apply_diff(const char *id, const struct io_read_wrapper *content + container_inspect_graph_driver *graphdriver_get_metadata(const char *id) + { + int ret = -1; +- int i = 0; ++ size_t i = 0; + container_inspect_graph_driver *inspect_driver = NULL; + json_map_string_string *metadata = NULL; + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +index 8d8384b8..6ea3c48b 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +@@ -747,7 +747,7 @@ out: + static int insert_memory_stores(const char *id, const struct layer_opts *opts, layer_t *l) + { + int ret = 0; +- int i = 0; ++ size_t i = 0; + + if (!append_layer_into_list(l)) { + ret = -1; +@@ -788,9 +788,12 @@ clear_compress_digest: + (void)delete_digest_from_map(g_metadata.by_compress_digest, l->slayer->compressed_diff_digest, id); + } + clear_by_name: +- for (i = i - 1; i >= 0; i--) { +- if (!map_remove(g_metadata.by_name, (void *)opts->names[i])) { +- WARN("Remove name: %s failed", opts->names[i]); ++ // iterate over the names in reverse order, starting from the last name ++ // since i is an unsigned number, i traverses from inserted name len to 1 ++ for (; i > 0; i--) { ++ // the corresponding array index is [i - 1]: inserted name len - 1 -> 0 ++ if (!map_remove(g_metadata.by_name, (void *)opts->names[i - 1])) { ++ WARN("Remove name: %s failed", opts->names[i - 1]); + } + } + if (!map_remove(g_metadata.by_id, (void *)id)) { +@@ -1812,7 +1815,7 @@ void layer_store_exit() + static uint64_t payload_to_crc(char *payload) + { + int ret = 0; +- int i = 0; ++ size_t i = 0; + uint64_t crc = 0; + uint8_t *crc_sums = NULL; + size_t crc_sums_len = 0; +@@ -2232,7 +2235,7 @@ int remote_load_one_layer(const char *id) + { + int ret = 0; + layer_t *tl = NULL; +- int i = 0; ++ size_t i = 0; + + if (!layer_store_lock(true)) { + return -1; +diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c +index aa442ecf..13f8bb53 100644 +--- a/src/daemon/modules/image/oci/storage/storage.c ++++ b/src/daemon/modules/image/oci/storage/storage.c +@@ -1538,7 +1538,7 @@ out: + + static bool is_rootfs_layer(const char *layer_id, const struct rootfs_list *all_rootfs) + { +- int j; ++ size_t j; + + if (all_rootfs == NULL || layer_id == NULL) { + return false; +diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c +index a233c2b1..2c5656c6 100644 +--- a/src/daemon/modules/image/oci/utils_images.c ++++ b/src/daemon/modules/image/oci/utils_images.c +@@ -450,7 +450,7 @@ static char *convert_created_by(image_manifest_v1_compatibility *config) + int add_rootfs_and_history(const layer_blob *layers, size_t layers_len, const registry_manifest_schema1 *manifest, + docker_image_config_v2 *config) + { +- int i = 0; ++ size_t i = 0; + int ret = 0; + size_t history_index = 0; + parser_error err = NULL; +@@ -511,7 +511,7 @@ int add_rootfs_and_history(const layer_blob *layers, size_t layers_len, const re + + ret = util_array_append(&config->rootfs->diff_ids, layers[i].diff_id); + if (ret != 0) { +- ERROR("append diff id of layer %u to rootfs failed, diff id is %s", i, layers[i].diff_id); ++ ERROR("append diff id of layer %zu to rootfs failed, diff id is %s", i, layers[i].diff_id); + ret = -1; + goto out; + } +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 83d82201..1fa2559d 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -320,7 +320,6 @@ static int write_env_content(const char *env_path, const char **env, size_t env_ + int fd = -1; + size_t i = 0; + ssize_t nret = 0; +- int env_max = 4096; + + ret = create_env_path_dir(env_path); + if (ret < 0) { +@@ -335,6 +334,7 @@ static int write_env_content(const char *env_path, const char **env, size_t env_ + } + if (env != NULL) { + for (i = 0; i < env_len; i++) { ++ size_t env_max = 4096; + if (strlen(env[i]) > env_max) { + ERROR("Env is too long"); + ret = -1; +-- +2.25.1 + diff --git a/0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch b/0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch new file mode 100644 index 0000000000000000000000000000000000000000..177c3b906a80cc84a35f91db1f014a56c60006a7 --- /dev/null +++ b/0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch @@ -0,0 +1,1575 @@ +From c6442b5805d39d8749a1016e2932543a130f16dc Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Fri, 25 Aug 2023 17:34:12 +0800 +Subject: [PATCH 18/32] make sure the input parameter is not empty and optimize + the code + +Signed-off-by: zhongtao +--- + src/daemon/modules/api/image_api.h | 2 +- + src/daemon/modules/image/external/ext_image.c | 8 ++- + src/daemon/modules/image/image.c | 47 +++++++++++----- + src/daemon/modules/image/image_spec_merge.c | 2 +- + .../modules/image/oci/oci_common_operators.c | 9 ++- + src/daemon/modules/image/oci/oci_image.c | 8 +-- + src/daemon/modules/image/oci/oci_image.h | 2 +- + src/daemon/modules/image/oci/oci_image_type.h | 42 -------------- + src/daemon/modules/image/oci/oci_import.c | 1 + + src/daemon/modules/image/oci/oci_load.c | 10 +--- + src/daemon/modules/image/oci/oci_load.h | 2 +- + src/daemon/modules/image/oci/oci_login.c | 2 +- + src/daemon/modules/image/oci/oci_logout.c | 2 +- + src/daemon/modules/image/oci/oci_pull.c | 4 +- + .../image/oci/registry/registry_apiv2.c | 2 +- + .../oci/storage/image_store/image_store.c | 45 ++++++++++++--- + .../oci/storage/image_store/image_store.h | 4 +- + .../graphdriver/devmapper/deviceset.c | 10 ++-- + .../graphdriver/devmapper/driver_devmapper.c | 4 +- + .../graphdriver/devmapper/wrapper_devmapper.c | 14 +++-- + .../graphdriver/devmapper/wrapper_devmapper.h | 8 +-- + .../graphdriver/overlay2/driver_overlay2.c | 17 +++--- + .../graphdriver/overlay2/driver_overlay2.h | 2 - + .../image/oci/storage/layer_store/layer.c | 2 +- + .../image/oci/storage/layer_store/layer.h | 2 +- + .../oci/storage/layer_store/layer_store.c | 55 ++++++++----------- + .../oci/storage/layer_store/layer_store.h | 8 +-- + .../remote_layer_support/image_remote_impl.c | 12 +++- + .../remote_layer_support/layer_remote_impl.c | 10 ++++ + .../overlay_remote_impl.c | 10 ++++ + .../remote_layer_support/remote_support.c | 5 ++ + .../ro_symlink_maintain.c | 11 +++- + .../oci/storage/rootfs_store/rootfs_store.c | 8 +-- + .../oci/storage/rootfs_store/rootfs_store.h | 6 +- + .../modules/image/oci/storage/storage.c | 35 ++++++++++-- + .../modules/image/oci/storage/storage.h | 6 +- + src/daemon/modules/image/oci/utils_images.c | 7 ++- + src/daemon/modules/image/oci/utils_images.h | 2 +- + src/utils/http/http.h | 2 + + .../oci/storage/layers/storage_driver_ut.cc | 10 +--- + .../oci/storage/layers/storage_layers_ut.cc | 34 ------------ + test/mocks/driver_overlay2_mock.cc | 8 --- + test/mocks/driver_overlay2_mock.h | 1 - + 43 files changed, 251 insertions(+), 230 deletions(-) + delete mode 100644 src/daemon/modules/image/oci/oci_image_type.h + +diff --git a/src/daemon/modules/api/image_api.h b/src/daemon/modules/api/image_api.h +index 4bb8d1a9..2f2c00a2 100644 +--- a/src/daemon/modules/api/image_api.h ++++ b/src/daemon/modules/api/image_api.h +@@ -239,7 +239,7 @@ typedef struct { + + int image_module_init(const isulad_daemon_configs *args); + +-void image_module_exit(); ++void image_module_exit(void); + + int im_get_container_filesystem_usage(const char *image_type, const char *id, imagetool_fs_info **fs_usage); + +diff --git a/src/daemon/modules/image/external/ext_image.c b/src/daemon/modules/image/external/ext_image.c +index e1706469..5b6b7298 100644 +--- a/src/daemon/modules/image/external/ext_image.c ++++ b/src/daemon/modules/image/external/ext_image.c +@@ -138,13 +138,17 @@ int ext_list_images(const im_list_request *request, imagetool_images_list **list + { + int ret = 0; + ++ if (request == NULL || list == NULL) { ++ ERROR("Empty request or list"); ++ return -1; ++ } ++ + *list = util_common_calloc_s(sizeof(imagetool_images_list)); + if (*list == NULL) { + ERROR("Memory out"); + ret = -1; +- goto out; + } +-out: ++ + return ret; + } + +diff --git a/src/daemon/modules/image/image.c b/src/daemon/modules/image/image.c +index 322ab67c..408ceea2 100644 +--- a/src/daemon/modules/image/image.c ++++ b/src/daemon/modules/image/image.c +@@ -374,8 +374,8 @@ int im_resolv_image_name(const char *image_type, const char *image_name, char ** + int ret = -1; + const struct bim_type *q = NULL; + +- if (image_type == NULL) { +- ERROR("Image type is required"); ++ if (image_type == NULL || image_name == NULL || resolved_name == NULL) { ++ ERROR("Image type image_name and resolved_name is required"); + goto out; + } + q = get_bim_by_type(image_type); +@@ -402,8 +402,8 @@ int im_get_filesystem_info(const char *image_type, im_fs_info_response **respons + int ret = -1; + const struct bim_type *q = NULL; + +- if (image_type == NULL) { +- ERROR("Image type is required"); ++ if (image_type == NULL || response == NULL) { ++ ERROR("Image type and response is required"); + goto out; + } + +@@ -419,7 +419,7 @@ int im_get_filesystem_info(const char *image_type, im_fs_info_response **respons + INFO("Event: {Object: get image filesystem info, Type: inspecting}"); + ret = q->ops->get_filesystem_info(response); + if (ret != 0) { +- if (response != NULL && *response != NULL) { ++ if (*response != NULL && (*response)->errmsg != NULL) { + ERROR("Get filesystem info failed: %s", (*response)->errmsg); + } else { + ERROR("Get filesystem info failed"); +@@ -439,7 +439,7 @@ int im_get_container_filesystem_usage(const char *image_type, const char *id, im + const struct bim_type *q = NULL; + im_container_fs_usage_request *request = NULL; + +- if (image_type == NULL || id == NULL) { ++ if (image_type == NULL || id == NULL || fs_usage == NULL) { + ERROR("Invalid input arguments"); + ret = -1; + goto out; +@@ -763,6 +763,12 @@ bool im_config_image_exist(const char *image_name) + { + const struct bim_type *bim_type = NULL; + ++ if (image_name == NULL) { ++ ERROR("Invalid input arguments"); ++ isulad_set_error_message("Invalid input arguments"); ++ return false; ++ } ++ + bim_type = bim_query(image_name); + if (bim_type == NULL) { + ERROR("Config image %s not exist", image_name); +@@ -778,7 +784,7 @@ int im_merge_image_config(const char *image_type, const char *image_name, contai + int ret = 0; + struct bim *bim = NULL; + +- if (container_spec == NULL || image_type == NULL) { ++ if (container_spec == NULL || image_name == NULL || image_type == NULL) { + ERROR("Invalid input arguments"); + ret = -1; + goto out; +@@ -905,7 +911,7 @@ int im_list_images(const im_list_request *ctx, im_list_response **response) + size_t i; + imagetool_images_list *images_tmp = NULL; + +- if (response == NULL) { ++ if (ctx == NULL || response == NULL) { + ERROR("Empty arguments"); + return -1; + } +@@ -982,6 +988,12 @@ static bool check_im_pull_args(const im_pull_request *req, im_pull_response * co + isulad_set_error_message("Empty image required"); + return false; + } ++ ++ if (req->type == NULL) { ++ ERROR("Empty type required"); ++ isulad_set_error_message("Empty type required"); ++ return false; ++ } + return true; + } + +@@ -1079,7 +1091,7 @@ int im_import_image(const im_import_request *request, char **id) + return -1; + } + +- if (request->file == NULL) { ++ if (request->file == NULL || request->tag == NULL) { + ERROR("Import image requires image tarball file path"); + isulad_set_error_message("Import image requires image tarball file path"); + goto pack_response; +@@ -1185,7 +1197,8 @@ int im_load_image(const im_load_request *request, im_load_response **response) + + ret = bim->ops->load_image(request); + if (ret != 0) { +- ERROR("Failed to load image from %s with tag %s and type %s", request->file, request->tag, request->type); ++ // request->tag may be empty ++ ERROR("Failed to load image from %s with type %s", request->file, request->type); + ret = -1; + goto pack_response; + } +@@ -1368,11 +1381,16 @@ int im_logout(const im_logout_request *request, im_logout_response **response) + int ret = -1; + struct bim *bim = NULL; + +- if (response == NULL) { ++ if (request == NULL || response == NULL) { + ERROR("Empty response"); + return -1; + } + ++ if (request->type == NULL || request->server == NULL) { ++ ERROR("Empty type or server"); ++ return -1; ++ } ++ + *response = util_common_calloc_s(sizeof(im_logout_response)); + if (*response == NULL) { + ERROR("Out of memory"); +@@ -1842,13 +1860,12 @@ char *im_get_rootfs_dir(const im_get_rf_dir_request *request) + char *dir = NULL; + struct bim *bim = NULL; + +- if (request->type == NULL) { ++ if (request == NULL || request->type == NULL) { + ERROR("Missing image type"); + return NULL; + } + + bim = bim_get(request->type, NULL, NULL, NULL); +- + if (bim == NULL) { + ERROR("Failed to init bim, image type:%s", request->type); + return NULL; +@@ -1916,7 +1933,7 @@ int image_module_init(const isulad_daemon_configs *args) + return bims_init(args); + } + +-void image_module_exit() ++void image_module_exit(void) + { + size_t i; + +@@ -2085,7 +2102,7 @@ int im_prepare_container_rootfs(const im_prepare_request *request, char **real_r + int nret = 0; + struct bim *bim = NULL; + +- if (request == NULL) { ++ if (request == NULL || real_rootfs == NULL) { + ERROR("Invalid input arguments"); + return -1; + } +diff --git a/src/daemon/modules/image/image_spec_merge.c b/src/daemon/modules/image/image_spec_merge.c +index e8cdae28..1e857bb7 100644 +--- a/src/daemon/modules/image/image_spec_merge.c ++++ b/src/daemon/modules/image/image_spec_merge.c +@@ -29,7 +29,7 @@ int image_spec_merge_env(const char **env, size_t env_len, container_config *con + char **im_kv = NULL; + char **custom_kv = NULL; + +- if (env == NULL || env_len == 0) { ++ if (env == NULL || env_len == 0 || container_spec == NULL) { + return 0; + } + +diff --git a/src/daemon/modules/image/oci/oci_common_operators.c b/src/daemon/modules/image/oci/oci_common_operators.c +index 83cccbe6..e15423e6 100644 +--- a/src/daemon/modules/image/oci/oci_common_operators.c ++++ b/src/daemon/modules/image/oci/oci_common_operators.c +@@ -57,7 +57,7 @@ char *oci_resolve_image_name(const char *name) + + int oci_get_user_conf(const char *basefs, host_config *hc, const char *userstr, defs_process_user *puser) + { +- if (basefs == NULL || puser == NULL) { ++ if (basefs == NULL || puser == NULL || hc == NULL) { + ERROR("Empty basefs or puser"); + return -1; + } +@@ -371,6 +371,11 @@ int oci_list_images(const im_list_request *request, imagetool_images_list **imag + int ret = 0; + struct filters_args *image_filters = NULL; + ++ if (request == NULL || images == NULL) { ++ ERROR("Empty request or images"); ++ return -1; ++ } ++ + if (request != NULL && request->image_filters != NULL) { + image_filters = request->image_filters; + } +@@ -408,7 +413,7 @@ int oci_summary_image(im_summary_request *request, im_summary_response *response + char *image_ref = NULL; + char *resolved_name = NULL; + +- if (response == NULL) { ++ if (request == NULL || response == NULL) { + ERROR("Invalid arguments"); + return -1; + } +diff --git a/src/daemon/modules/image/oci/oci_image.c b/src/daemon/modules/image/oci/oci_image.c +index 4a48016b..f712a446 100644 +--- a/src/daemon/modules/image/oci/oci_image.c ++++ b/src/daemon/modules/image/oci/oci_image.c +@@ -353,7 +353,7 @@ out: + return ret; + } + +-void oci_exit() ++void oci_exit(void) + { + storage_module_exit(); + free_oci_image_data(); +@@ -396,7 +396,7 @@ int oci_prepare_rf(const im_prepare_request *request, char **real_rootfs) + { + int ret = 0; + +- if (request == NULL) { ++ if (request == NULL || request->container_id == NULL) { + ERROR("Bim is NULL"); + return -1; + } +@@ -457,7 +457,7 @@ int oci_mount_rf(const im_mount_request *request) + { + char *mount_point = NULL; + +- if (request == NULL) { ++ if (request == NULL || request->name_id == NULL) { + ERROR("Invalid arguments"); + return -1; + } +@@ -796,7 +796,7 @@ int oci_export_rf(const im_export_request *request) + { + int ret = 0; + +- if (request == NULL) { ++ if (request == NULL || request->name_id == NULL) { + ERROR("Invalid input arguments"); + return -1; + } +diff --git a/src/daemon/modules/image/oci/oci_image.h b/src/daemon/modules/image/oci/oci_image.h +index c52c8a7b..07f10c8d 100644 +--- a/src/daemon/modules/image/oci/oci_image.h ++++ b/src/daemon/modules/image/oci/oci_image.h +@@ -41,7 +41,7 @@ struct oci_image_module_data { + struct oci_image_module_data *get_oci_image_data(void); + + int oci_init(const isulad_daemon_configs *args); +-void oci_exit(); ++void oci_exit(void); + + int oci_pull_rf(const im_pull_request *request, im_pull_response *response); + int oci_rmi(const im_rmi_request *request); +diff --git a/src/daemon/modules/image/oci/oci_image_type.h b/src/daemon/modules/image/oci/oci_image_type.h +deleted file mode 100644 +index f436a453..00000000 +--- a/src/daemon/modules/image/oci/oci_image_type.h ++++ /dev/null +@@ -1,42 +0,0 @@ +-/****************************************************************************** +- * Copyright (c) Huawei Technologies Co., Ltd. 2018-2019. All rights reserved. +- * iSulad licensed under the Mulan PSL v2. +- * You can use this software according to the terms and conditions of the Mulan PSL v2. +- * You may obtain a copy of Mulan PSL v2 at: +- * http://license.coscl.org.cn/MulanPSL2 +- * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +- * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +- * PURPOSE. +- * See the Mulan PSL v2 for more details. +- * Author: lifeng +- * Create: 2018-11-08 +- * Description: provide image type definition +- ******************************************************************************/ +- +-#ifndef DAEMON_MODULES_IMAGE_OCI_OCI_IMAGE_TYPE_H +-#define DAEMON_MODULES_IMAGE_OCI_OCI_IMAGE_TYPE_H +- +-#ifdef __cplusplus +-extern "C" { +-#endif +- +-/* AuthConfig contains authorization information for connecting to a registry */ +-typedef struct { +- char *username; +- char *password; +- char *auth; +- char *server_address; +- +- // IdentityToken is used to authenticate the user and get +- // an access token for the registry. +- char *identity_token; +- +- // RegistryToken is a bearer token to be sent to a registry +- char *registry_token; +-} auth_config; +- +-#ifdef __cplusplus +-} +-#endif +- +-#endif +diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c +index 93179504..1e14a916 100644 +--- a/src/daemon/modules/image/oci/oci_import.c ++++ b/src/daemon/modules/image/oci/oci_import.c +@@ -268,6 +268,7 @@ static int create_manifest(import_desc *desc) + manifest->layers[0]->size = desc->compressed_size; + manifest->layers[0]->digest = util_strdup_s(desc->compressed_digest); + ++ // the image manifest schema version is v2 + manifest->schema_version = 2; + manifest->media_type = util_strdup_s(DOCKER_MANIFEST_SCHEMA2_JSON); + +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index 5e062d44..569c5346 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -851,20 +851,17 @@ static int64_t get_layer_size_from_storage(char *chain_id_pre) + id = oci_load_without_sha256_prefix(chain_id_pre); + if (id == NULL) { + ERROR("Get chain id failed from value:%s", chain_id_pre); +- size = -1; +- goto out; ++ return -1; + } + + l = storage_layer_get(id); + if (l == NULL) { + ERROR("Layer with chain id:%s is not exist in store", id); +- size = -1; +- goto out; ++ return -1; + } + + size = l->compress_size; + +-out: + free_layer(l); + return size; + } +@@ -883,8 +880,7 @@ static int oci_load_set_manifest_info(load_image_t *im) + im->manifest = util_common_calloc_s(sizeof(oci_image_manifest)); + if (im->manifest == NULL) { + ERROR("Out of memory"); +- ret = -1; +- goto out; ++ return -1; + } + + im->manifest->schema_version = OCI_SCHEMA_VERSION; +diff --git a/src/daemon/modules/image/oci/oci_load.h b/src/daemon/modules/image/oci/oci_load.h +index e1e09067..53ca87d2 100644 +--- a/src/daemon/modules/image/oci/oci_load.h ++++ b/src/daemon/modules/image/oci/oci_load.h +@@ -1,5 +1,5 @@ + /****************************************************************************** +-* Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. ++* Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +diff --git a/src/daemon/modules/image/oci/oci_login.c b/src/daemon/modules/image/oci/oci_login.c +index 22de9593..e9eec378 100644 +--- a/src/daemon/modules/image/oci/oci_login.c ++++ b/src/daemon/modules/image/oci/oci_login.c +@@ -1,5 +1,5 @@ + /****************************************************************************** +-* Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. ++* Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +diff --git a/src/daemon/modules/image/oci/oci_logout.c b/src/daemon/modules/image/oci/oci_logout.c +index 02fdb126..f8a63220 100644 +--- a/src/daemon/modules/image/oci/oci_logout.c ++++ b/src/daemon/modules/image/oci/oci_logout.c +@@ -1,5 +1,5 @@ + /****************************************************************************** +-* Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. ++* Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +diff --git a/src/daemon/modules/image/oci/oci_pull.c b/src/daemon/modules/image/oci/oci_pull.c +index 5b35ca2b..e7ff77df 100644 +--- a/src/daemon/modules/image/oci/oci_pull.c ++++ b/src/daemon/modules/image/oci/oci_pull.c +@@ -1,5 +1,5 @@ + /****************************************************************************** +-* Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. ++* Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +@@ -70,7 +70,7 @@ out: + return ret; + } + +-static void update_option_insecure_registry(registry_pull_options *options, char **insecure_registries, char *host) ++static void update_option_insecure_registry(registry_pull_options *options, char **insecure_registries, const char *host) + { + char **registry = NULL; + +diff --git a/src/daemon/modules/image/oci/registry/registry_apiv2.c b/src/daemon/modules/image/oci/registry/registry_apiv2.c +index 048fac94..db4d311e 100644 +--- a/src/daemon/modules/image/oci/registry/registry_apiv2.c ++++ b/src/daemon/modules/image/oci/registry/registry_apiv2.c +@@ -632,7 +632,7 @@ static int split_head_body(char *file, char **http_head) + } + body += strlen(deli); + +- ret = util_write_file(file, body, strlen(body), 0600); ++ ret = util_write_file(file, body, strlen(body), BODY_FILE_MODE); + if (ret != 0) { + ERROR("rewrite body to file failed"); + ret = -1; +diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c +index 55e3bb97..b7e0f0cc 100644 +--- a/src/daemon/modules/image/oci/storage/image_store/image_store.c ++++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c +@@ -146,7 +146,7 @@ static void free_image_store(image_store_t *store) + free(store); + } + +-void image_store_free() ++void image_store_free(void) + { + free_image_store(g_image_store); + g_image_store = NULL; +@@ -1185,6 +1185,11 @@ int image_store_set_big_data(const char *id, const char *key, const char *data) + return -1; + } + ++ if (id == NULL || data == NULL) { ++ ERROR("Empty id or data"); ++ return -1; ++ } ++ + if (g_image_store == NULL) { + ERROR("Image store is not ready"); + return -1; +@@ -1287,7 +1292,7 @@ int image_store_add_name(const char *id, const char *name) + size_t i; + + if (id == NULL || name == NULL) { +- ERROR("Invalid input paratemer: id(%s), name(%s)", id, name); ++ ERROR("Invalid input paratemer"); + return -1; + } + +@@ -1515,7 +1520,7 @@ int image_store_set_metadata(const char *id, const char *metadata) + image_t *img = NULL; + + if (id == NULL || metadata == NULL) { +- ERROR("Invalid paratemer: id(%s), metadata(%s)", id, metadata); ++ ERROR("Invalid paratemer"); + return -1; + } + +@@ -1664,7 +1669,6 @@ char *image_store_big_data(const char *id, const char *key) + } + + ret = get_data_path(img->simage->id, key, filename, sizeof(filename)); +- + if (ret != 0) { + ERROR("Failed to get big data file path: %s.", key); + goto out; +@@ -1809,7 +1813,7 @@ char *image_store_big_data_digest(const char *id, const char *key) + image_t *img = NULL; + char *digest = NULL; + +- if (key == NULL || strlen(key) == 0) { ++ if (key == NULL || strlen(key) == 0 || id == NULL) { + ERROR("Not a valid name for a big data item, can't retrieve image big data value for empty name"); + return NULL; + } +@@ -1854,8 +1858,8 @@ int image_store_big_data_names(const char *id, char ***names, size_t *names_len) + int ret = 0; + image_t *img = NULL; + +- if (id == NULL) { +- ERROR("Invalid parameter, id is NULL"); ++ if (id == NULL || names == NULL || names_len == NULL) { ++ ERROR("Invalid parameter"); + return -1; + } + +@@ -2724,7 +2728,7 @@ unlock: + return ret; + } + +-size_t image_store_get_images_number() ++size_t image_store_get_images_number(void) + { + size_t number = 0; + +@@ -3140,6 +3144,11 @@ int image_store_validate_manifest_schema_version_1(const char *path, bool *valid + char manifest_path[PATH_MAX] = { 0x00 }; + bool valid_v2_config = false; + ++ if (path == NULL || valid == NULL) { ++ ERROR("Empty path or valid"); ++ return -1; ++ } ++ + *valid = false; + nret = snprintf(manifest_path, sizeof(manifest_path), "%s/%s", path, IMAGE_DIGEST_BIG_DATA_KEY); + if (nret < 0 || (size_t)nret >= sizeof(manifest_path)) { +@@ -3698,6 +3707,11 @@ int remote_append_image_by_directory_with_lock(const char *id) + return -1; + } + ++ if (g_image_store == NULL) { ++ ERROR("Image store is not ready"); ++ return -1; ++ } ++ + if (!image_store_lock(EXCLUSIVE)) { + ERROR("Failed to lock remote image store when handle: %s", id); + return -1; +@@ -3732,6 +3746,11 @@ int remote_remove_image_from_memory_with_lock(const char *id) + return -1; + } + ++ if (g_image_store == NULL) { ++ ERROR("Image store is not ready"); ++ return -1; ++ } ++ + if (!image_store_lock(EXCLUSIVE)) { + ERROR("Failed to lock remote image store when handle: %s", id); + return -1; +@@ -3758,6 +3777,16 @@ char *remote_image_get_top_layer_from_json(const char *img_id) + storage_image *im = NULL; + parser_error err = NULL; + ++ if (img_id == NULL) { ++ ERROR("Empty img id"); ++ return NULL; ++ } ++ ++ if (g_image_store == NULL) { ++ ERROR("Image store is not ready"); ++ return NULL; ++ } ++ + nret = snprintf(image_path, sizeof(image_path), "%s/%s/%s", g_image_store->dir, img_id, IMAGE_JSON); + if (nret < 0 || (size_t)nret >= sizeof(image_path)) { + ERROR("Failed to get image path"); +diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.h b/src/daemon/modules/image/oci/storage/image_store/image_store.h +index 5164cc73..019a2881 100644 +--- a/src/daemon/modules/image/oci/storage/image_store/image_store.h ++++ b/src/daemon/modules/image/oci/storage/image_store/image_store.h +@@ -98,13 +98,13 @@ int image_store_set_image_size(const char *id, uint64_t size); + int image_store_get_all_images(imagetool_images_list *images_list); + + // On success, the number of the known images is returned. On failure, (size_t)-1 is returned +-size_t image_store_get_images_number(); ++size_t image_store_get_images_number(void); + + // Retrieves image file system info + int image_store_get_fs_info(imagetool_fs_info *fs_info); + + // Free memory of image store, but will not delete the persisted files +-void image_store_free(); ++void image_store_free(void); + + imagetool_image_summary *image_store_get_image_summary(const char *id); + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +index 4f19c26d..79541e54 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +@@ -499,14 +499,14 @@ bool has_metadata(const char *hash, struct device_set *devset) + bool ret = true; + int nret = 0; + +- if (hash == NULL) { ++ if (hash == NULL || devset == NULL) { + return true; + } + + metadata_path = metadata_dir(devset); + if (metadata_path == NULL) { + ERROR("Failed to get meta data directory"); +- goto out; ++ return false; + } + + nret = snprintf(metadata_file, sizeof(metadata_file), "%s/%s", metadata_path, util_valid_str(hash) ? hash : "base"); +@@ -541,7 +541,7 @@ static image_devmapper_device_info *load_metadata(const struct device_set *devse + metadata_path = metadata_dir(devset); + if (metadata_path == NULL) { + ERROR("Failed to get meta data directory"); +- goto out; ++ return NULL; + } + + nret = snprintf(metadata_file, sizeof(metadata_file), "%s/%s", metadata_path, util_valid_str(hash) ? hash : "base"); +@@ -3076,7 +3076,7 @@ int mount_device(const char *hash, const char *path, const struct driver_mount_o + char *dev_fname = NULL; + char *options = NULL; + +- if (hash == NULL || path == NULL) { ++ if (hash == NULL || path == NULL || devset == NULL) { + ERROR("devmapper: invalid input params to mount device"); + return -1; + } +@@ -3236,7 +3236,7 @@ int export_device_metadata(struct device_metadata *dev_metadata, const char *has + char *dm_name = NULL; + devmapper_device_info_t *device_info = NULL; + +- if (hash == NULL || dev_metadata == NULL) { ++ if (hash == NULL || dev_metadata == NULL || devset == NULL) { + ERROR("Invalid input params"); + return -1; + } +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c +index ecb62f79..d62d3133 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c +@@ -198,7 +198,7 @@ int devmapper_rm_layer(const char *id, const struct graphdriver *driver) + } + + if (delete_device(id, false, driver->devset) != 0) { +- ERROR("failed to remove device %s", id); ++ ERROR("Failed to remove device %s", id); + return -1; + } + +@@ -624,7 +624,7 @@ int devmapper_clean_up(struct graphdriver *driver) + { + int ret = 0; + +- if (driver == NULL) { ++ if (driver == NULL || driver->devset == NULL || driver->home == NULL) { + ERROR("Invalid input param to cleanup devicemapper"); + return -1; + } +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c +index e91ddd1e..e22311f1 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c +@@ -192,7 +192,7 @@ cleanup: + return NULL; + } + +-char *dev_get_driver_version() ++char *dev_get_driver_version(void) + { + struct dm_task *dmt = NULL; + char *version = NULL; +@@ -234,7 +234,7 @@ cleanup: + } + + // dev_get_library_version return the device mapper library version +-char *dev_get_library_version() ++char *dev_get_library_version(void) + { + char version[128] = { 0 }; + +@@ -679,7 +679,7 @@ cleanup: + return ret; + } + +-bool udev_sync_supported() ++bool udev_sync_supported(void) + { + return dm_udev_get_sync_support() != 0; + } +@@ -705,7 +705,8 @@ int dev_create_device(const char *pool_fname, int device_id) + int ret = 0; + int nret = 0; + uint64_t sector = 0; +- char message[PATH_MAX] = { 0 }; // 临时字符缓冲区上限 ++ // temporary character buffer limit ++ char message[PATH_MAX] = { 0 }; + struct dm_task *dmt = NULL; + + if (pool_fname == NULL) { +@@ -1066,7 +1067,7 @@ static void log_cb(int level, const char *file, int line, int dm_errno_or_class, + free(buffer); + } + +-void log_with_errno_init() ++void log_with_errno_init(void) + { + dm_log_with_errno_init(log_cb); + } +@@ -1136,7 +1137,8 @@ int dev_set_transaction_id(const char *pool_name, uint64_t old_id, uint64_t new_ + int ret = 0; + int nret = 0; + uint64_t sector = 0; +- char message[PATH_MAX] = { 0 }; // 临时字符缓冲区上限 ++ // temporary character buffer limit ++ char message[PATH_MAX] = { 0 }; + struct dm_task *dmt = NULL; + + if (pool_name == NULL) { +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h +index e8acebc0..01771a3b 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h +@@ -96,11 +96,11 @@ int set_dev_dir(const char *dir); + + struct dm_task* task_create_named(int type, const char *name); + +-void log_with_errno_init(); ++void log_with_errno_init(void); + +-char *dev_get_driver_version(); ++char *dev_get_driver_version(void); + +-char *dev_get_library_version(); ++char *dev_get_library_version(void); + + int dev_get_status(uint64_t *start, uint64_t *length, char **target_type, char **params, const char *name); + +@@ -112,7 +112,7 @@ int dev_remove_device_deferred(const char *name); + + int dev_get_device_list(char ***list, size_t *length); + +-bool udev_sync_supported(); ++bool udev_sync_supported(void); + + bool udev_set_sync_support(bool enable); + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +index 3b27076c..ced30b96 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +@@ -405,12 +405,6 @@ out: + return ret; + } + +-bool overlay2_is_quota_options(struct graphdriver *driver, const char *option) +-{ +- return strncmp(option, QUOTA_SIZE_OPTION, strlen(QUOTA_SIZE_OPTION)) == 0 || +- strncmp(option, QUOTA_BASESIZE_OPTIONS, strlen(QUOTA_BASESIZE_OPTIONS)) == 0; +-} +- + static int check_parent_valid(const char *parent, const struct graphdriver *driver) + { + int ret = 0; +@@ -1158,7 +1152,7 @@ int overlay2_rm_layer(const char *id, const struct graphdriver *driver) + struct stat stat_buf; + #endif + +- if (id == NULL || driver == NULL) { ++ if (id == NULL || driver == NULL || driver->home == NULL) { + ERROR("Invalid input arguments"); + return -1; + } +@@ -1844,6 +1838,11 @@ bool overlay2_layer_exists(const char *id, const struct graphdriver *driver) + char *layer_dir = NULL; + char *link_id = NULL; + ++ if (id == NULL || driver == NULL || driver->home == NULL) { ++ ERROR("Failed to verify overlay2 layer exists for empty id or driver"); ++ return false; ++ } ++ + layer_dir = util_path_join(driver->home, id); + if (layer_dir == NULL) { + ERROR("Failed to join layer dir:%s", id); +@@ -2075,7 +2074,7 @@ int overlay2_get_driver_status(const struct graphdriver *driver, struct graphdri + int nret = 0; + char tmp[MAX_INFO_LENGTH] = { 0 }; + +- if (driver == NULL || status == NULL) { ++ if (driver == NULL || status == NULL || driver->backing_fs == NULL) { + ERROR("Invalid input arguments"); + return -1; + } +@@ -2117,7 +2116,7 @@ int overlay2_clean_up(struct graphdriver *driver) + { + int ret = 0; + +- if (driver == NULL) { ++ if (driver == NULL || driver->home == NULL) { + ERROR("Invalid input arguments"); + ret = -1; + goto out; +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h +index e14271b1..438c508e 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h +@@ -35,8 +35,6 @@ extern "C" { + + int overlay2_init(struct graphdriver *driver, const char *driver_home, const char **options, size_t len); + +-bool overlay2_is_quota_options(struct graphdriver *driver, const char *option); +- + int overlay2_create_rw(const char *id, const char *parent, const struct graphdriver *driver, + struct driver_create_opts *create_opts); + +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer.c b/src/daemon/modules/image/oci/storage/layer_store/layer.c +index 4baeb7c2..4beb3d10 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer.c +@@ -46,7 +46,7 @@ void free_layer_t(layer_t *ptr) + free(ptr); + } + +-layer_t *create_empty_layer() ++layer_t *create_empty_layer(void) + { + layer_t *result = NULL; + int nret = 0; +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer.h b/src/daemon/modules/image/oci/storage/layer_store/layer.h +index f2dad648..9387efe0 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer.h +@@ -43,7 +43,7 @@ typedef struct _layer_t_ { + uint64_t refcnt; + } layer_t; + +-layer_t *create_empty_layer(); ++layer_t *create_empty_layer(void); + + void free_layer_t(layer_t *ptr); + void layer_ref_inc(layer_t *layer); +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +index 6ea3c48b..3ffe0ca7 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c +@@ -117,7 +117,7 @@ static inline void layer_store_unlock() + } + } + +-void layer_store_cleanup() ++void layer_store_cleanup(void) + { + struct linked_list *item = NULL; + struct linked_list *next = NULL; +@@ -230,7 +230,7 @@ static inline void delete_g_layer_list_item(struct linked_list *item, bool rm_va + g_metadata.layers_list_len -= 1; + } + +-void remove_layer_list_tail() ++void remove_layer_list_tail(void) + { + struct linked_list *item = NULL; + +@@ -1231,18 +1231,6 @@ int layer_store_delete(const char *id) + return ret; + } + +-bool layer_store_exists(const char *id) +-{ +- layer_t *l = lookup_with_lock(id); +- +- if (l == NULL) { +- return false; +- } +- +- layer_ref_dec(l); +- return true; +-} +- + static void copy_json_to_layer(const layer_t *jl, struct layer *l) + { + if (jl->slayer == NULL) { +@@ -1354,7 +1342,7 @@ int layer_store_by_compress_digest(const char *digest, struct layer_list *resp) + { + int ret = 0; + +- if (resp == NULL) { ++ if (digest == NULL || resp == NULL) { + return -1; + } + +@@ -1367,22 +1355,6 @@ int layer_store_by_compress_digest(const char *digest, struct layer_list *resp) + return ret; + } + +-int layer_store_by_uncompress_digest(const char *digest, struct layer_list *resp) +-{ +- int ret = 0; +- +- if (resp == NULL) { +- return -1; +- } +- if (!layer_store_lock(false)) { +- return -1; +- } +- +- ret = layers_by_digest_map(g_metadata.by_uncompress_digest, digest, resp); +- layer_store_unlock(); +- return ret; +-} +- + struct layer *layer_store_lookup(const char *name) + { + struct layer *ret = NULL; +@@ -1492,6 +1464,10 @@ int layer_store_try_repair_lowers(const char *id) + layer_t *l = NULL; + int ret = 0; + ++ if (id == NULL) { ++ return -1; ++ } ++ + l = lookup_with_lock(id); + if (l == NULL) { + return -1; +@@ -1807,7 +1783,7 @@ free_out: + return -1; + } + +-void layer_store_exit() ++void layer_store_exit(void) + { + graphdriver_cleanup(); + } +@@ -2116,6 +2092,11 @@ int layer_store_check(const char *id) + int ret = 0; + char *rootfs = NULL; + ++ if (id == NULL) { ++ ERROR("Failed to do layer store check for Empty id"); ++ return -1; ++ } ++ + layer_t *l = lookup_with_lock(id); + if (l == NULL || l->slayer == NULL) { + ERROR("layer %s not found when checking integration", id); +@@ -2157,6 +2138,11 @@ int remote_layer_remove_memory_stores_with_lock(const char *id) + { + int ret = 0; + ++ if (id == NULL) { ++ ERROR("Failed to lock layer store for empty id"); ++ return -1; ++ } ++ + if (!layer_store_lock(true)) { + ERROR("Failed to lock layer store when handle: %s", id); + return -1; +@@ -2237,6 +2223,11 @@ int remote_load_one_layer(const char *id) + layer_t *tl = NULL; + size_t i = 0; + ++ if (id == NULL) { ++ ERROR("Failed to do remote load one layer for empty id"); ++ return -1; ++ } ++ + if (!layer_store_lock(true)) { + return -1; + } +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h +index be8c52dc..20287119 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h +@@ -51,20 +51,18 @@ struct layer_opts { + }; + + int layer_store_init(const struct storage_module_init_options *conf); +-void layer_store_exit(); +-void layer_store_cleanup(); ++void layer_store_exit(void); ++void layer_store_cleanup(void); + +-void remove_layer_list_tail(); ++void remove_layer_list_tail(void); + int layer_store_create(const char *id, const struct layer_opts *opts, const struct io_read_wrapper *content, + char **new_id); + int layer_inc_hold_refs(const char *layer_id); + int layer_dec_hold_refs(const char *layer_id); + int layer_get_hold_refs(const char *layer_id, int *ref_num); + int layer_store_delete(const char *id); +-bool layer_store_exists(const char *id); + int layer_store_list(struct layer_list *resp); + int layer_store_by_compress_digest(const char *digest, struct layer_list *resp); +-int layer_store_by_uncompress_digest(const char *digest, struct layer_list *resp); + struct layer *layer_store_lookup(const char *name); + char *layer_store_mount(const char *id); + int layer_store_umount(const char *id, bool force); +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c +index b4a53ec1..07c4a5cc 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c +@@ -1,5 +1,5 @@ + /****************************************************************************** +- * Copyright (c) Huawei Technologies Co., Ltd. 2020-2023. All rights reserved. ++ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +@@ -31,6 +31,11 @@ static map_t *image_byid_new = NULL; + + struct remote_image_data *remote_image_create(const char *remote_home, const char *remote_ro) + { ++ if (remote_home == NULL) { ++ ERROR("Empty remote home"); ++ return NULL; ++ } ++ + struct remote_image_data *data = util_common_calloc_s(sizeof(struct remote_image_data)); + if (data == NULL) { + ERROR("Out of memory"); +@@ -204,6 +209,11 @@ static int remote_image_add(void *data) + + void remote_image_refresh(struct remote_image_data *data) + { ++ if (data == NULL) { ++ ERROR("Skip refresh remote image for empty data"); ++ return; ++ } ++ + if (remote_dir_scan(data) != 0) { + ERROR("remote overlay failed to scan dir, skip refresh"); + return; +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/layer_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/layer_remote_impl.c +index b1a1e944..7527f1e4 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/layer_remote_impl.c ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/layer_remote_impl.c +@@ -31,6 +31,11 @@ static map_t *layer_byid_new = NULL; + + struct remote_layer_data *remote_layer_create(const char *layer_home, const char *layer_ro) + { ++ if (layer_home == NULL || layer_ro == NULL) { ++ ERROR("Empty layer home or layer ro"); ++ return NULL; ++ } ++ + struct remote_layer_data *data = util_common_calloc_s(sizeof(struct remote_layer_data)); + if (data == NULL) { + ERROR("Out of memory"); +@@ -232,6 +237,11 @@ static int remote_layer_add(struct remote_layer_data *data) + + void remote_layer_refresh(struct remote_layer_data *data) + { ++ if (data == NULL) { ++ ERROR("Skip refresh remote layer for empty data"); ++ return; ++ } ++ + if (remote_dir_scan(data) != 0) { + ERROR("remote layer failed to scan dir, skip refresh"); + return; +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c +index e44c64ef..38d9b0ce 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c +@@ -37,6 +37,11 @@ static map_t *overlay_id_link = NULL; + + struct remote_overlay_data *remote_overlay_create(const char *remote_home, const char *remote_ro) + { ++ if (remote_home == NULL || remote_ro == NULL) { ++ ERROR("Empty remote home or remote ro"); ++ return NULL; ++ } ++ + struct remote_overlay_data *data = util_common_calloc_s(sizeof(struct remote_overlay_data)); + if (data == NULL) { + ERROR("Out of memory"); +@@ -341,6 +346,11 @@ static int remote_overlay_add(struct remote_overlay_data *data) + + void remote_overlay_refresh(struct remote_overlay_data *data) + { ++ if (data == NULL) { ++ ERROR("Skip refresh remote overlay for empty data"); ++ return; ++ } ++ + if (remote_dir_scan(data) != 0) { + ERROR("remote overlay failed to scan dir, skip refresh"); + return; +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c +index 1bac8dd5..5bf9869b 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c +@@ -87,6 +87,11 @@ int remote_start_refresh_thread(pthread_rwlock_t *remote_lock) + pthread_t a_thread; + maintain_context ctx = get_maintain_context(); + ++ if (remote_lock == NULL) { ++ ERROR("Invalid remote lock"); ++ return -1; ++ } ++ + supporters.image_data = remote_image_create(ctx.image_home, NULL); + if (supporters.image_data == NULL) { + goto free_out; +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c b/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c +index 4d234aab..ea40ae45 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c +@@ -37,6 +37,8 @@ static char *layer_home; + static char *overlay_ro_dir; + static char *overlay_home; + ++#define LAYER_RO_DIR_MODE 0700 ++ + int remote_image_init(const char *root_dir) + { + if (root_dir == NULL) { +@@ -67,7 +69,7 @@ int remote_layer_init(const char *root_dir) + ERROR("Failed join path when init remote layer maintainer"); + goto out; + } +- if (!util_file_exists(layer_ro_dir) && util_mkdir_p(layer_ro_dir, 0700) != 0) { ++ if (!util_file_exists(layer_ro_dir) && util_mkdir_p(layer_ro_dir, LAYER_RO_DIR_MODE) != 0) { + ERROR("Failed to create RO dir under overlay"); + goto out; + } +@@ -127,6 +129,11 @@ static int do_build_ro_dir(const char *home, const char *id) + int nret = 0; + int ret = 0; + ++ if (home == NULL || id == NULL) { ++ ERROR("Empty home or id"); ++ return -1; ++ } ++ + nret = asprintf(&ro_symlink, "%s/%s", home, id); + if (nret < 0 || nret > PATH_MAX) { + SYSERROR("Failed create ro layer dir sym link path"); +@@ -183,7 +190,7 @@ int do_remove_ro_dir(const char *home, const char *id) + int ret = 0; + int nret = 0; + +- if (id == NULL) { ++ if (home == NULL || id == NULL) { + return 0; + } + +diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c +index ee1e15d0..7ed07029 100644 +--- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c ++++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c +@@ -121,7 +121,7 @@ static void free_rootfs_store(rootfs_store_t *store) + free(store); + } + +-void rootfs_store_free() ++void rootfs_store_free(void) + { + free_rootfs_store(g_rootfs_store); + g_rootfs_store = NULL; +@@ -1085,7 +1085,7 @@ out: + return ret; + } + +-int rootfs_store_wipe() ++int rootfs_store_wipe(void) + { + int ret = 0; + char *id = NULL; +@@ -1125,7 +1125,7 @@ int rootfs_store_set_metadata(const char *id, const char *metadata) + cntrootfs_t *cntr = NULL; + + if (id == NULL || metadata == NULL) { +- ERROR("Invalid paratemer: id(%s), metadata(%s)", id, metadata); ++ ERROR("Invalid paratemer"); + return -1; + } + +@@ -1331,7 +1331,7 @@ out: + return ret; + } + +-char *rootfs_store_get_data_dir() ++char *rootfs_store_get_data_dir(void) + { + return util_strdup_s(g_rootfs_store->dir); + } +\ No newline at end of file +diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h +index c23af091..63f3294b 100644 +--- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h ++++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h +@@ -48,7 +48,7 @@ char *rootfs_store_lookup(const char *id); + int rootfs_store_delete(const char *id); + + // Remove records of all containers +-int rootfs_store_wipe(); ++int rootfs_store_wipe(void); + + // Updates the metadata associated with the item with the specified ID. + int rootfs_store_set_metadata(const char *id, const char *metadata); +@@ -66,10 +66,10 @@ storage_rootfs *rootfs_store_get_rootfs(const char *id); + int rootfs_store_get_all_rootfs(struct rootfs_list *all_rootfs); + + // Return rootfs store data dir +-char *rootfs_store_get_data_dir(); ++char *rootfs_store_get_data_dir(void); + + // Free memory of container store, but will not delete the persisted files +-void rootfs_store_free(); ++void rootfs_store_free(void); + + #ifdef __cplusplus + } +diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c +index 13f8bb53..255ec89c 100644 +--- a/src/daemon/modules/image/oci/storage/storage.c ++++ b/src/daemon/modules/image/oci/storage/storage.c +@@ -194,6 +194,11 @@ int storage_inc_hold_refs(const char *layer_id) + { + int ret = 0; + ++ if (layer_id == NULL) { ++ ERROR("Empty layer id"); ++ return -1; ++ } ++ + if (!storage_lock(&g_storage_rwlock, true)) { + ERROR("Failed to lock image store when increase hold refs number for layer %s", layer_id); + return -1; +@@ -209,6 +214,11 @@ int storage_inc_hold_refs(const char *layer_id) + int storage_dec_hold_refs(const char *layer_id) + { + int ret = 0; ++ ++ if (layer_id == NULL) { ++ ERROR("Empty layer id"); ++ return -1; ++ } + + if (!storage_lock(&g_storage_rwlock, true)) { + ERROR("Failed to lock image store when decrease hold refs number for layer %s", layer_id); +@@ -284,6 +294,11 @@ struct layer_list *storage_layers_get_by_compress_digest(const char *digest) + int ret = 0; + struct layer_list *layers = NULL; + ++ if (digest == NULL) { ++ ERROR("Empty digest"); ++ return NULL; ++ } ++ + layers = util_common_calloc_s(sizeof(struct layer_list)); + if (layers == NULL) { + ERROR("Out of memory"); +@@ -539,7 +554,7 @@ char *storage_img_get_image_id(const char *img_name) + return image_store_lookup(img_name); + } + +-bool is_top_layer_of_other_image(const char *img_id, const imagetool_images_list *all_images, const char *layer_id) ++static bool is_top_layer_of_other_image(const char *img_id, const imagetool_images_list *all_images, const char *layer_id) + { + size_t i = 0; + +@@ -913,6 +928,11 @@ int storage_img_set_image_size(const char *image_id) + int ret = 0; + int64_t image_size = 0; + ++ if (image_id == NULL) { ++ ERROR("Empty image id"); ++ return -1; ++ } ++ + image_size = storage_img_cal_image_size(image_id); + if (image_size < 0) { + ERROR("Failed to get image %s size", image_id); +@@ -961,7 +981,7 @@ bool storage_image_exist(const char *image_or_id) + return image_store_exists(image_or_id); + } + +-size_t storage_get_img_count() ++size_t storage_get_img_count(void) + { + return image_store_get_images_number(); + } +@@ -1250,8 +1270,8 @@ int storage_rootfs_fs_usgae(const char *container_id, imagetool_fs_info *fs_info + } + + rootfs_info = rootfs_store_get_rootfs(container_id); +- if (rootfs_info == NULL) { +- ERROR("Failed to get rootfs %s info", container_id); ++ if (rootfs_info == NULL || rootfs_info->layer == NULL) { ++ ERROR("Failed to get valid rootfs %s info", container_id); + ret = -1; + goto out; + } +@@ -1278,7 +1298,7 @@ char *storage_rootfs_mount(const char *container_id) + } + + rootfs_info = rootfs_store_get_rootfs(container_id); +- if (rootfs_info == NULL) { ++ if (rootfs_info == NULL || rootfs_info->layer == NULL) { + ERROR("Failed to get rootfs %s info", container_id); + goto out; + } +@@ -1726,6 +1746,11 @@ container_inspect_graph_driver *storage_get_metadata_by_container_id(const char + storage_rootfs *rootfs_info = NULL; + container_inspect_graph_driver *container_metadata = NULL; + ++ if (id == NULL) { ++ ERROR("Empty id"); ++ return NULL; ++ } ++ + rootfs_info = rootfs_store_get_rootfs(id); + if (rootfs_info == NULL) { + ERROR("Failed to get rootfs %s info", id); +diff --git a/src/daemon/modules/image/oci/storage/storage.h b/src/daemon/modules/image/oci/storage/storage.h +index a761938c..718f7eff 100644 +--- a/src/daemon/modules/image/oci/storage/storage.h ++++ b/src/daemon/modules/image/oci/storage/storage.h +@@ -119,7 +119,7 @@ typedef struct storage_layer_create_opts { + + int storage_module_init(struct storage_module_init_options *opts); + +-void storage_module_exit(); ++void storage_module_exit(void); + + void free_storage_module_init_options(struct storage_module_init_options *opts); + +@@ -153,7 +153,7 @@ int storage_img_set_image_size(const char *image_id); + + char *storage_get_img_top_layer(const char *id); + +-size_t storage_get_img_count(); ++size_t storage_get_img_count(void); + + char *storage_img_get_image_id(const char *img_name); + +@@ -191,7 +191,7 @@ char *storage_rootfs_mount(const char *container_id); + + int storage_rootfs_umount(const char *container_id, bool force); + +-char *storage_rootfs_get_dir(); ++char *storage_rootfs_get_dir(void); + + container_inspect_graph_driver *storage_get_metadata_by_container_id(const char *id); + +diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c +index 2c5656c6..f8fd1e73 100644 +--- a/src/daemon/modules/image/oci/utils_images.c ++++ b/src/daemon/modules/image/oci/utils_images.c +@@ -247,7 +247,7 @@ int oci_split_image_name(const char *image_name, char **host, char **name, char + return 0; + } + +-char *get_hostname_to_strip() ++char *get_hostname_to_strip(void) + { + char *name = NULL; + +@@ -320,6 +320,11 @@ char *make_big_data_base_name(const char *key) + char *base_name = NULL; + size_t name_size; + ++ if (key == NULL) { ++ ERROR("Empty key"); ++ return NULL; ++ } ++ + if (should_use_origin_name(key)) { + return util_strdup_s(key); + } +diff --git a/src/daemon/modules/image/oci/utils_images.h b/src/daemon/modules/image/oci/utils_images.h +index 97879e41..2238bb91 100644 +--- a/src/daemon/modules/image/oci/utils_images.h ++++ b/src/daemon/modules/image/oci/utils_images.h +@@ -57,7 +57,7 @@ int oci_split_search_name(const char *search_name, char **host, char **name); + + char *oci_get_isulad_tmpdir(const char *root_dir); + int makesure_isulad_tmpdir_perm_right(const char *root_dir); +-char *get_hostname_to_strip(); ++char *get_hostname_to_strip(void); + + char *oci_image_digest_pos(const char *name); + +diff --git a/src/utils/http/http.h b/src/utils/http/http.h +index cdd6d64f..02d56ba8 100644 +--- a/src/utils/http/http.h ++++ b/src/utils/http/http.h +@@ -107,6 +107,8 @@ struct http_get_options { + #define AUTHZ_UNIX_SOCK "/run/isulad/plugins/authz-broker.sock" + #define AUTHZ_REQUEST_URL "http://localhost/isulad.auth" + ++#define BODY_FILE_MODE 0600 ++ + /* http response code */ + enum http_response_code { + StatusContinue = 100, // RFC 7231, 6.2.1 +diff --git a/test/image/oci/storage/layers/storage_driver_ut.cc b/test/image/oci/storage/layers/storage_driver_ut.cc +index ae9f4df1..943fa073 100644 +--- a/test/image/oci/storage/layers/storage_driver_ut.cc ++++ b/test/image/oci/storage/layers/storage_driver_ut.cc +@@ -269,12 +269,4 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_try_repair_lowers) + + std::string id { "1be74353c3d0fd55fb5638a52953e6f1bc441e5b1710921db9ec2aa202725569" }; + ASSERT_EQ(graphdriver_try_repair_lowers(id.c_str(), nullptr), 0); +-} +- +-TEST(StorageOverlay2QuotaOptionsTest, test_overlay2_is_quota_options) +-{ +- std::vector options { "overlay2.size", "overlay2.basesize" }; +- for (auto option : options) { +- ASSERT_TRUE(overlay2_is_quota_options(nullptr, option.c_str())); +- } +-} ++} +\ No newline at end of file +diff --git a/test/image/oci/storage/layers/storage_layers_ut.cc b/test/image/oci/storage/layers/storage_layers_ut.cc +index fca37e83..73611fdc 100644 +--- a/test/image/oci/storage/layers/storage_layers_ut.cc ++++ b/test/image/oci/storage/layers/storage_layers_ut.cc +@@ -278,19 +278,6 @@ TEST_F(StorageLayersUnitTest, test_layers_load) + free_layer_list(layer_list); + } + +-TEST_F(StorageLayersUnitTest, test_layer_store_exists) +-{ +- if (!support_overlay) { +- return; +- } +- +- std::string id { "7db8f44a0a8e12ea4283e3180e98880007efbd5de2e7c98b67de9cdd4dfffb0b" }; +- std::string incorrectId { "50551ff67da98ab8540d7132" }; +- +- ASSERT_TRUE(layer_store_exists(id.c_str())); +- ASSERT_FALSE(layer_store_exists(incorrectId.c_str())); +-} +- + TEST_F(StorageLayersUnitTest, test_layer_store_create) + { + if (!support_overlay) { +@@ -337,24 +324,3 @@ TEST_F(StorageLayersUnitTest, test_layer_store_by_compress_digest) + + free_layer_list(layer_list); + } +- +-TEST_F(StorageLayersUnitTest, test_layer_store_by_uncompress_digest) +-{ +- if (!support_overlay) { +- return; +- } +- +- std::string uncompress { "sha256:9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" }; +- std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" }; +- struct layer_list *layer_list = (struct layer_list *)util_common_calloc_s(sizeof(struct layer_list)); +- +- ASSERT_EQ(layer_store_by_uncompress_digest(uncompress.c_str(), layer_list), 0); +- ASSERT_EQ(layer_list->layers_len, 1); +- +- struct layer **layers = layer_list->layers; +- ASSERT_STREQ(layers[0]->id, id.c_str()); +- ASSERT_STREQ(layers[0]->uncompressed_digest, uncompress.c_str()); +- ASSERT_EQ(layers[0]->uncompress_size, 1672256); +- +- free_layer_list(layer_list); +-} +diff --git a/test/mocks/driver_overlay2_mock.cc b/test/mocks/driver_overlay2_mock.cc +index 6f24dbcf..6892539d 100644 +--- a/test/mocks/driver_overlay2_mock.cc ++++ b/test/mocks/driver_overlay2_mock.cc +@@ -39,11 +39,3 @@ int overlay2_parse_options(struct graphdriver *driver, const char **options, siz + } + return -1; + } +- +-bool overlay2_is_quota_options(struct graphdriver *driver, const char *option) +-{ +- if (g_driver_overlay2_mock != nullptr) { +- return g_driver_overlay2_mock->Overlay2IsQuotaOptions(driver, option); +- } +- return false; +-} +diff --git a/test/mocks/driver_overlay2_mock.h b/test/mocks/driver_overlay2_mock.h +index 071e6287..f09b715a 100644 +--- a/test/mocks/driver_overlay2_mock.h ++++ b/test/mocks/driver_overlay2_mock.h +@@ -24,7 +24,6 @@ public: + virtual ~MockDriverOverlay2() = default; + MOCK_METHOD1(Overlay2Init, int(struct graphdriver *)); + MOCK_METHOD3(Overlay2ParseOptions, int(struct graphdriver *, const char **, size_t)); +- MOCK_METHOD2(Overlay2IsQuotaOptions, bool(struct graphdriver *, const char *)); + }; + + void MockDriverOverlay2_SetMock(MockDriverOverlay2* mock); +-- +2.25.1 + diff --git a/0019-remove-password-in-url-module-and-clean-sensitive-in.patch b/0019-remove-password-in-url-module-and-clean-sensitive-in.patch new file mode 100644 index 0000000000000000000000000000000000000000..70a84cebab5db4888a41c09c8328dd268a3bb435 --- /dev/null +++ b/0019-remove-password-in-url-module-and-clean-sensitive-in.patch @@ -0,0 +1,332 @@ +From 4adc923cfaf25142aa4cbb909d65c0f3a999cc02 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Tue, 29 Aug 2023 11:41:26 +0800 +Subject: [PATCH 19/32] remove password in url module and clean sensitive info + in struct passwd + +Signed-off-by: zhongtao +--- + .../modules/image/image_rootfs_handler.c | 13 +- + src/utils/cpputils/url.cc | 144 +----------------- + src/utils/cpputils/url.h | 19 +-- + 3 files changed, 15 insertions(+), 161 deletions(-) + +diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c +index 1a3f4307..a8036ab9 100644 +--- a/src/daemon/modules/image/image_rootfs_handler.c ++++ b/src/daemon/modules/image/image_rootfs_handler.c +@@ -85,6 +85,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * + char buf[BUFSIZ] = { 0 }; + struct passwd pw; + struct passwd *pwbufp = NULL; ++ int ret = -1; + + if (f_passwd != NULL) { + #if defined (__ANDROID__) || defined(__MUSL__) +@@ -116,7 +117,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * + if (errval != 0 && errval != ENOENT) { + ERROR("Failed to parse passwd file: Insufficient buffer space supplied"); + isulad_set_error_message("Failed to parse passwd file: Insufficient buffer space supplied"); +- return -1; ++ goto out; + } + if (!userfound && user != NULL) { + int uret = util_safe_llong(user, &n_user); +@@ -124,16 +125,20 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * + if (uret != 0) { + ERROR("Unable to find user '%s'", user); + isulad_set_error_message("Unable to find user '%s': no matching entries in passwd file", user); +- return -1; ++ goto out; + } + if (n_user < MINUID || n_user > MAXUID) { + uids_gids_range_err_log(); +- return -1; ++ goto out; + } + puser->uid = (uid_t)n_user; + } ++ ret = 0; + +- return 0; ++out: ++ memset(buf, 0, sizeof(buf)); ++ memset(pwbufp, 0, sizeof(struct passwd)); ++ return ret; + } + + static int append_additional_gids(gid_t gid, gid_t **additional_gids, size_t *len) +diff --git a/src/utils/cpputils/url.cc b/src/utils/cpputils/url.cc +index 117eba7e..baaded07 100644 +--- a/src/utils/cpputils/url.cc ++++ b/src/utils/cpputils/url.cc +@@ -266,12 +266,7 @@ std::string Escape(const std::string &s, const EncodeMode &mode) + + UserInfo *User(const std::string &username) noexcept + { +- return new UserInfo { username, "", false }; +-} +- +-UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept +-{ +- return new UserInfo { username, password, true }; ++ return new UserInfo { username }; + } + + int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path) +@@ -324,24 +319,6 @@ void Split(const std::string &s, const std::string &c, bool cutc, std::string &t + u = s.substr(i, s.size()); + } + +-URLDatum *Parse(const std::string &rawurl) +-{ +- std::string u, frag; +- Split(rawurl, "#", true, u, frag); +- auto *url = Parse(u, false); +- if (url == nullptr) { +- return nullptr; +- } +- if (frag.empty()) { +- return url; +- } +- url->SetFragment(Unescape(frag, EncodeMode::ENCODE_FRAGMENT)); +- if (url->GetFragment().empty()) { +- return nullptr; +- } +- return url; +-} +- + int SplitOffPossibleLeading(std::string &scheme, const std::string &rawurl, URLDatum *url, std::string &rest) + { + if (Getscheme(rawurl, scheme, rest) != 0) { +@@ -385,108 +362,6 @@ URLDatum *HandleNonBackslashPrefix(URLDatum *url, const std::string &scheme, con + return nullptr; + } + +-int SetURLDatumInfo(URLDatum *url, const std::string &scheme, bool viaRequest, std::string &rest) +-{ +- if ((!scheme.empty() || (!viaRequest && rest.substr(0, 3) == "///")) && rest.substr(0, 2) == "//") { +- std::string authority; +- Split(rest.substr(2, rest.size()), "/", false, authority, rest); +- std::string host = url->GetHost(); +- UserInfo *user = url->GetUser(); +- if (ParseAuthority(authority, &user, host)) { +- return -1; +- } +- url->SetHost(host); +- url->SetUser(user); +- } +- if (url->SetPath(rest)) { +- return -1; +- } +- url->SetScheme(scheme); +- return 0; +-} +- +-URLDatum *Parse(const std::string &rawurl, bool viaRequest) +-{ +- if (rawurl.empty() && viaRequest) { +- ERROR("empty url!"); +- return nullptr; +- } +- auto *url = new (std::nothrow) URLDatum; +- if (url == nullptr) { +- ERROR("Out of memory"); +- return nullptr; +- } +- if (rawurl == "*") { +- url->SetPathWithoutEscape("*"); +- return url; +- } +- std::string scheme = url->GetScheme(); +- std::string rest; +- if (SplitOffPossibleLeading(scheme, rawurl, url, rest) != 0) { +- return nullptr; +- } +- bool shouldRet = false; +- auto *tmpret = HandleNonBackslashPrefix(url, scheme, rest, viaRequest, shouldRet); +- if (shouldRet) { +- return tmpret; +- } +- if (SetURLDatumInfo(url, scheme, viaRequest, rest) != 0) { +- return nullptr; +- } +- return url; +-} +- +-int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host) +-{ +- size_t i = authority.find("@"); +- if (i == std::string::npos) { +- if (ParseHost(authority, host) != 0) { +- *user = nullptr; +- host = ""; +- return -1; +- } +- } else { +- if (ParseHost(authority.substr(i + 1, authority.size()), host) != 0) { +- *user = nullptr; +- host = ""; +- return -1; +- } +- } +- if (i == std::string::npos) { +- *user = nullptr; +- return 0; +- } +- +- std::string userinfo = authority.substr(0, i); +- if (!ValidUserinfo(userinfo)) { +- *user = nullptr; +- host = ""; +- ERROR("net/url: invalid userinfo"); +- return -1; +- } +- if (userinfo.find(":") == std::string::npos) { +- userinfo = Unescape(userinfo, EncodeMode::ENCODE_USER_PASSWORD); +- if (userinfo.empty()) { +- *user = nullptr; +- host = ""; +- return -1; +- } +- *user = User(userinfo); +- } else { +- std::string servername, serverword; +- Split(userinfo, ":", true, servername, serverword); +- servername = Unescape(servername, EncodeMode::ENCODE_USER_PASSWORD); +- serverword = Unescape(serverword, EncodeMode::ENCODE_USER_PASSWORD); +- if (servername.empty() || serverword.empty()) { +- *user = nullptr; +- host = ""; +- return -1; +- } +- *user = UserPassword(servername, serverword); +- } +- return 0; +-} +- + int ParseHost(std::string host, std::string &out) + { + if (host.at(0) == '[') { +@@ -756,9 +631,6 @@ std::string UserInfo::String() const + std::string s; + if (!m_username.empty()) { + s = Escape(m_username, EncodeMode::ENCODE_USER_PASSWORD); +- if (m_passwordSet) { +- s += ":" + Escape(m_password, EncodeMode::ENCODE_USER_PASSWORD); +- } + } + return s; + } +@@ -766,11 +638,6 @@ std::string UserInfo::Username() const + { + return m_username; + } +-std::string UserInfo::Password(bool &set) const +-{ +- set = m_passwordSet; +- return m_password; +-} + + URLDatum::~URLDatum() + { +@@ -860,15 +727,6 @@ bool URLDatum::IsAbs() const + return (m_scheme != ""); + } + +-std::unique_ptr URLDatum::UrlParse(const std::string &ref) +-{ +- auto *refurl = Parse(ref); +- if (refurl == nullptr) { +- return nullptr; +- } +- return ResolveReference(refurl); +-} +- + std::unique_ptr URLDatum::ResolveReference(URLDatum *ref) + { + std::unique_ptr url(new (std::nothrow) URLDatum(*ref)); +diff --git a/src/utils/cpputils/url.h b/src/utils/cpputils/url.h +index abbf20f4..3dd40079 100644 +--- a/src/utils/cpputils/url.h ++++ b/src/utils/cpputils/url.h +@@ -49,17 +49,13 @@ private: + + class UserInfo { + public: +- UserInfo(const std::string &u, const std::string &p, bool b) : m_username(u), m_password(p), +- m_passwordSet(b) {} ++ UserInfo(const std::string &u) : m_username(u) {} + ~UserInfo() = default; + std::string String() const; + std::string Username() const; +- std::string Password(bool &set) const; + + private: + std::string m_username; +- std::string m_password; +- bool m_passwordSet; + }; + + class URLDatum { +@@ -69,7 +65,6 @@ public: + std::string EscapedPath(); + std::string String(); + bool IsAbs() const; +- std::unique_ptr UrlParse(const std::string &ref); + std::unique_ptr ResolveReference(URLDatum *ref); + auto Query()->std::map>; + std::string RequestURI(); +@@ -88,7 +83,7 @@ public: + { + m_opaque = value; + } +- std::string GetOpaque() const ++ std::string GetOpaque() const + { + return m_opaque; + } +@@ -96,7 +91,7 @@ public: + { + m_user = value; + } +- UserInfo *GetUser() const ++ UserInfo *GetUser() const + { + return m_user; + } +@@ -128,7 +123,7 @@ public: + { + m_rawQuery = value; + } +- std::string GetRawQuery() const ++ std::string GetRawQuery() const + { + return m_rawQuery; + } +@@ -136,7 +131,7 @@ public: + { + m_fragment = value; + } +- std::string GetFragment() const ++ std::string GetFragment() const + { + return m_fragment; + } +@@ -163,13 +158,9 @@ std::string QueryUnescape(const std::string &s); + std::string Unescape(std::string s, const EncodeMode &mode); + std::string QueryEscape(const std::string &s); + std::string Escape(const std::string &s, const EncodeMode &mode); +-UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept; + UserInfo *User(const std::string &username) noexcept; + int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path); + void Split(const std::string &s, const std::string &c, bool cutc, std::string &t, std::string &u); +-URLDatum *Parse(const std::string &rawurl); +-URLDatum *Parse(const std::string &rawurl, bool viaRequest); +-int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host); + int ParseHost(std::string host, std::string &out); + bool ValidEncodedPath(const std::string &s); + bool ValidOptionalPort(const std::string &port); +-- +2.25.1 + diff --git a/0020-2153-fix-codecheck.patch b/0020-2153-fix-codecheck.patch new file mode 100644 index 0000000000000000000000000000000000000000..1da123b8ffb5e89954947c6fea92a33bdaf2cdd8 --- /dev/null +++ b/0020-2153-fix-codecheck.patch @@ -0,0 +1,447 @@ +From d9c60a7309f3616c1d9d0051ba338a8def37a538 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Tue, 29 Aug 2023 09:38:53 +0000 +Subject: [PATCH 20/32] !2153 fix codecheck * fix codecheck + +--- + src/daemon/modules/image/embedded/load.c | 2 +- + src/daemon/modules/image/image.c | 4 +- + src/daemon/modules/image/oci/oci_login.h | 2 - + src/daemon/modules/image/oci/oci_logout.h | 2 - + .../oci/storage/image_store/image_store.c | 1 - + .../oci/storage/image_store/image_store.h | 2 - + .../graphdriver/devmapper/deviceset.c | 9 ++- + .../graphdriver/devmapper/deviceset.h | 5 +- + .../graphdriver/devmapper/driver_devmapper.h | 16 ++--- + .../graphdriver/devmapper/wrapper_devmapper.h | 2 - + .../storage/layer_store/graphdriver/driver.c | 2 +- + .../storage/layer_store/graphdriver/driver.h | 59 ++++++++----------- + .../graphdriver/overlay2/driver_overlay2.c | 3 - + .../graphdriver/overlay2/driver_overlay2.h | 8 +-- + .../graphdriver/quota/project_quota.h | 1 - + .../oci/storage/layer_store/layer_store.h | 4 -- + .../overlay_remote_impl.c | 1 - + .../remote_layer_support/remote_support.c | 2 +- + .../remote_layer_support/remote_support.h | 2 +- + .../oci/storage/rootfs_store/rootfs_store.h | 4 -- + 20 files changed, 46 insertions(+), 85 deletions(-) + +diff --git a/src/daemon/modules/image/embedded/load.c b/src/daemon/modules/image/embedded/load.c +index dc2aeba2..92ac42ad 100644 +--- a/src/daemon/modules/image/embedded/load.c ++++ b/src/daemon/modules/image/embedded/load.c +@@ -36,7 +36,7 @@ static char *replace_suffix_to_sgn(const char *file) + ERROR("invalid NULL param"); + return NULL; + } +- if (sizeof(".sgn") > SIZE_MAX - strlen(file)) { ++ if (strlen(file) > SIZE_MAX - sizeof(".sgn")) { + return NULL; + } + len = strlen(file) + sizeof(".sgn"); +diff --git a/src/daemon/modules/image/image.c b/src/daemon/modules/image/image.c +index 408ceea2..a14f2ac3 100644 +--- a/src/daemon/modules/image/image.c ++++ b/src/daemon/modules/image/image.c +@@ -784,7 +784,9 @@ int im_merge_image_config(const char *image_type, const char *image_name, contai + int ret = 0; + struct bim *bim = NULL; + +- if (container_spec == NULL || image_name == NULL || image_type == NULL) { ++ // there is no need to judge the image name as empty, ++ // because the image name of external type allows it to be empty. ++ if (container_spec == NULL || image_type == NULL) { + ERROR("Invalid input arguments"); + ret = -1; + goto out; +diff --git a/src/daemon/modules/image/oci/oci_login.h b/src/daemon/modules/image/oci/oci_login.h +index ab261ebd..acf6eeb6 100644 +--- a/src/daemon/modules/image/oci/oci_login.h ++++ b/src/daemon/modules/image/oci/oci_login.h +@@ -15,8 +15,6 @@ + #ifndef DAEMON_MODULES_IMAGE_OCI_OCI_LOGIN_H + #define DAEMON_MODULES_IMAGE_OCI_OCI_LOGIN_H + +-#include +- + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/src/daemon/modules/image/oci/oci_logout.h b/src/daemon/modules/image/oci/oci_logout.h +index 81f0196c..c0a9bb8b 100644 +--- a/src/daemon/modules/image/oci/oci_logout.h ++++ b/src/daemon/modules/image/oci/oci_logout.h +@@ -15,8 +15,6 @@ + #ifndef DAEMON_MODULES_IMAGE_OCI_OCI_LOGOUT_H + #define DAEMON_MODULES_IMAGE_OCI_OCI_LOGOUT_H + +-#include +- + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c +index b7e0f0cc..f49f4707 100644 +--- a/src/daemon/modules/image/oci/storage/image_store/image_store.c ++++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c +@@ -2123,7 +2123,6 @@ static int pack_repo_digest(char ***old_repo_digests, const char **image_tags, c + } + + for (i = 0; i < util_array_len((const char **)*repo_digests); i++) { +- bool value = true; + if (!map_replace(digest_map, (void *)(*repo_digests)[i], &value)) { + ERROR("Failed to insert pair to digest map: %s", (*repo_digests)[i]); + ret = -1; +diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.h b/src/daemon/modules/image/oci/storage/image_store/image_store.h +index 019a2881..4544f84b 100644 +--- a/src/daemon/modules/image/oci/storage/image_store/image_store.h ++++ b/src/daemon/modules/image/oci/storage/image_store/image_store.h +@@ -29,8 +29,6 @@ + #include "isula_libutils/imagetool_images_list.h" + #include "isula_libutils/imagetool_image_summary.h" + +-struct storage_module_init_options; +- + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +index 79541e54..4652c71a 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +@@ -105,7 +105,6 @@ static int handle_dm_min_free_space(char *val, struct device_set *devset) + { + long converted = 0; + int ret = util_parse_percent_string(val, &converted); +- + if (ret != 0 || converted >= 100) { + errno = -ret; + SYSERROR("Invalid min free space: '%s'", val); +@@ -293,7 +292,8 @@ static char *deviceset_meta_file(const struct device_set *devset) + return file; + } + +-// get_dm_name return value format:container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498 ++// get_dm_name return value format: ++// container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498 + static char *get_dm_name(const struct device_set *devset, const char *hash) + { + int nret = 0; +@@ -312,7 +312,8 @@ static char *get_dm_name(const struct device_set *devset, const char *hash) + return util_strdup_s(buff); + } + +-// get_dev_name return value fromat:/dev/mapper/container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498 ++// get_dev_name return value fromat: ++// /dev/mapper/container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498 + static char *get_dev_name(const char *name) + { + return util_string_append(name, DEVMAPPER_DECICE_DIRECTORY); +@@ -2351,7 +2352,6 @@ static int setup_base_image(struct device_set *devset) + devmapper_device_info_t *device_info = NULL; + + device_info = lookup_device(devset, "base"); +- + // base image already exists. If it is initialized properly, do UUID + // verification and return. Otherwise remove image and set it up + // fresh. +@@ -2504,7 +2504,6 @@ static void cleanup_deleted_devices(struct graphdriver *driver) + goto unlock_driver; + } + +- + if (driver->devset->nr_deleted_devices == 0) { + DEBUG("devmapper: no devices to delete"); + goto unlock_devset; +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h +index ec985e40..d7f7d184 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h +@@ -23,10 +23,7 @@ + + #include "driver.h" + #include "metadata_store.h" +- +-struct device_set; +-struct driver_mount_opts; +-struct graphdriver; ++#include "devices_constants.h" + + #ifdef __cplusplus + extern "C" { +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h +index 9ee020de..dca2d614 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h +@@ -16,22 +16,18 @@ + #define DAEMON_MODULES_IMAGE_OCI_STORAGE_LAYER_STORE_GRAPHDRIVER_DEVMAPPER_DRIVER_DEVMAPPER_H + + #include +-#include +-#include + #include + #include + #include ++#include ++#include ++#include ++#include + + #include "driver.h" + #include "map.h" +-#include "isula_libutils/image_devmapper_transaction.h" +-#include "isula_libutils/image_devmapper_deviceset_metadata.h" +- +-struct driver_create_opts; +-struct driver_mount_opts; +-struct graphdriver; +-struct graphdriver_status; +-struct io_read_wrapper; ++#include "image_api.h" ++#include "io_wrapper.h" + + #ifdef __cplusplus + extern "C" { +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h +index 01771a3b..4b2ae82b 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h +@@ -24,8 +24,6 @@ + + #include "driver.h" + +-struct dm_task; +- + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c +index fc2857b6..fb549bae 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c +@@ -1,5 +1,5 @@ + /****************************************************************************** +- * Copyright (c) Huawei Technologies Co., Ltd. 2017-2019. All rights reserved. ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h +index acd847cc..2fcfa12b 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h +@@ -1,5 +1,5 @@ + /****************************************************************************** +- * Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. ++ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +@@ -20,25 +20,42 @@ + #include + #include + #include ++#include ++#include + +-#include "isula_libutils/container_inspect.h" +-#include "isula_libutils/json_common.h" + #include "io_wrapper.h" + #include "driver_overlay2_types.h" + #include "devices_constants.h" + #include "storage.h" + #include "image_api.h" +-#include "isula_libutils/container_inspect.h" +- +-struct graphdriver_status; +-struct io_read_wrapper; +-struct storage_module_init_options; + + #ifdef __cplusplus + extern "C" { + #endif + +-struct graphdriver; ++struct graphdriver { ++ // common implement ++ const struct graphdriver_ops *ops; ++ const char *name; ++ const char *home; ++ char *backing_fs; ++ bool support_dtype; ++ ++ bool support_quota; ++#ifdef ENABLE_REMOTE_LAYER_STORE ++ bool enable_remote_layer; ++#endif ++ struct pquota_control *quota_ctrl; ++ ++ // options for overlay2 ++ struct overlay_options *overlay_opts; ++ ++ // options for device mapper ++ struct device_set *devset; ++ ++ // lock to protect graphdriver between cleanup and other operations ++ pthread_rwlock_t rwlock; ++}; + + struct driver_create_opts { + char *mount_label; +@@ -81,30 +98,6 @@ struct graphdriver_ops { + int (*get_layer_fs_info)(const char *id, const struct graphdriver *driver, imagetool_fs_info *fs_info); + }; + +-struct graphdriver { +- // common implement +- const struct graphdriver_ops *ops; +- const char *name; +- const char *home; +- char *backing_fs; +- bool support_dtype; +- +- bool support_quota; +-#ifdef ENABLE_REMOTE_LAYER_STORE +- bool enable_remote_layer; +-#endif +- struct pquota_control *quota_ctrl; +- +- // options for overlay2 +- struct overlay_options *overlay_opts; +- +- // options for device mapper +- struct device_set *devset; +- +- // lock to protect graphdriver between cleanup and other operations +- pthread_rwlock_t rwlock; +-}; +- + int graphdriver_init(const struct storage_module_init_options *opts); + + int graphdriver_create_rw(const char *id, const char *parent, struct driver_create_opts *create_opts); +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +index ced30b96..7517dd43 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c +@@ -648,7 +648,6 @@ const static int check_lower_depth(const char *lowers_str) + + lowers_arr = util_string_split(lowers_str, ':'); + lowers_size = util_array_len((const char **)lowers_arr); +- + if (lowers_size > OVERLAY_LAYER_MAX_DEPTH) { + ERROR("Max depth exceeded %s", lowers_str); + ret = -1; +@@ -1274,7 +1273,6 @@ static int append_rel_empty_path(const char *id, char ***rel_lowers) + char *rel_path = NULL; + + rel_path = util_string_append("/empty", id); +- + if (util_array_append(rel_lowers, rel_path) != 0) { + SYSERROR("Can't append relative layer:%s", rel_path); + ret = -1; +@@ -2181,7 +2179,6 @@ int overlay2_repair_lowers(const char *id, const char *parent, const struct grap + lowers_str = read_layer_lower_file(layer_dir); + lowers_arr = util_string_split(lowers_str, ':'); + lowers_size = util_array_len((const char **)lowers_arr); +- + if (lowers_size != 0) { + if (check_lower_valid(driver->home, lowers_arr[0]) == 0) { + DEBUG("Try to repair layer %s, success check", id); +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h +index 438c508e..444c0670 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h +@@ -22,12 +22,8 @@ + #include + + #include "driver.h" +- +-struct driver_create_opts; +-struct driver_mount_opts; +-struct graphdriver; +-struct graphdriver_status; +-struct io_read_wrapper; ++#include "image_api.h" ++#include "io_wrapper.h" + + #ifdef __cplusplus + extern "C" { +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h +index 94230faa..6cda7456 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h +@@ -33,7 +33,6 @@ + #include + #include + #include +-#include + #include + #include + #include +diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h +index 20287119..eba406d4 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h ++++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h +@@ -24,10 +24,6 @@ + #include "storage.h" + #include "io_wrapper.h" + +-struct io_read_wrapper; +-struct layer_list; +-struct storage_module_init_options; +- + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c +index 38d9b0ce..86e05ac2 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c +@@ -185,7 +185,6 @@ static int remove_one_remote_overlay_layer(struct remote_overlay_data *data, con + } + + link_id = (char *)map_search(overlay_id_link, (void *)overlay_id); +- + if (link_id == NULL) { + ERROR("Failed to find link id for overlay layer: %s", overlay_id); + ret = -1; +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c +index 5bf9869b..eb919321 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c +@@ -1,5 +1,5 @@ + /****************************************************************************** +- * Copyright (c) Huawei Technologies Co., Ltd. 2020-2020. All rights reserved. ++ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h +index 30e3ebb0..545cbe49 100644 +--- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h ++++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h +@@ -1,5 +1,5 @@ + /****************************************************************************** +- * Copyright (c) Huawei Technologies Co., Ltd. 2020-2023. All rights reserved. ++ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. + * iSulad licensed under the Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: +diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h +index 63f3294b..d618c401 100644 +--- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h ++++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h +@@ -24,10 +24,6 @@ + #include "storage.h" + #include "rootfs.h" + +-struct rootfs_list; +-struct storage_module_init_options; +-struct storage_rootfs_options; +- + #ifdef __cplusplus + extern "C" { + #endif +-- +2.25.1 + diff --git a/0021-2157-bugfix-for-memset.patch b/0021-2157-bugfix-for-memset.patch new file mode 100644 index 0000000000000000000000000000000000000000..644e8412812c6ae3e5f53bd0d78da8e246f2e502 --- /dev/null +++ b/0021-2157-bugfix-for-memset.patch @@ -0,0 +1,25 @@ +From 14bc12be8e4219a78b877e60affd4f584ccab220 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Tue, 29 Aug 2023 13:18:34 +0000 +Subject: [PATCH 21/32] !2157 bugfix for memset * bugfix for memset + +--- + src/daemon/modules/image/image_rootfs_handler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c +index a8036ab9..ceea4f5b 100644 +--- a/src/daemon/modules/image/image_rootfs_handler.c ++++ b/src/daemon/modules/image/image_rootfs_handler.c +@@ -137,7 +137,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * + + out: + memset(buf, 0, sizeof(buf)); +- memset(pwbufp, 0, sizeof(struct passwd)); ++ memset(&pw, 0, sizeof(struct passwd)); + return ret; + } + +-- +2.25.1 + diff --git a/0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch b/0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch new file mode 100644 index 0000000000000000000000000000000000000000..2c3d826c42c462fc3dda09a83409363a65bbc570 --- /dev/null +++ b/0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch @@ -0,0 +1,223 @@ +From 0c0bc7a873cb5377aa0d5587c28d711a09f00811 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Wed, 30 Aug 2023 09:56:29 +0000 +Subject: [PATCH 22/32] !2159 use macros to isolate the password option of + login and the plugin module * use macros to isolate the password option of + login and the plugin module + +--- + cmake/options.cmake | 14 ++++++++++ + src/cmd/isula/images/login.h | 28 +++++++++++++------ + src/cmd/isulad/main.c | 2 ++ + .../executor/container_cb/execution_create.c | 2 ++ + src/daemon/modules/CMakeLists.txt | 13 +++++++-- + src/daemon/modules/api/CMakeLists.txt | 3 ++ + .../container/container_events_handler.c | 2 ++ + .../modules/service/service_container.c | 4 +++ + 8 files changed, 57 insertions(+), 11 deletions(-) + +diff --git a/cmake/options.cmake b/cmake/options.cmake +index 5fc5c221..e733fd1c 100644 +--- a/cmake/options.cmake ++++ b/cmake/options.cmake +@@ -138,6 +138,20 @@ if (ENABLE_NATIVE_NETWORK OR ENABLE_GRPC) + set(ENABLE_NETWORK 1) + endif() + ++option(ENABLE_PLUGIN "enable plugin module" OFF) ++if (ENABLE_PLUGIN STREQUAL "ON") ++ add_definitions(-DENABLE_PLUGIN=1) ++ set(ENABLE_PLUGIN 1) ++ message("${Green}-- Enable plugin module${ColourReset}") ++endif() ++ ++option(ENABLE_LOGIN_PASSWORD_OPTION "enable login password option" ON) ++if (ENABLE_LOGIN_PASSWORD_OPTION STREQUAL "ON") ++ add_definitions(-DENABLE_LOGIN_PASSWORD_OPTION=1) ++ set(ENABLE_LOGIN_PASSWORD_OPTION 1) ++ message("${Green}-- Enable login password option${ColourReset}") ++endif() ++ + option(EANBLE_IMAGE_LIBARAY "create libisulad_image.so" ON) + if (EANBLE_IMAGE_LIBARAY STREQUAL "ON") + add_definitions(-DEANBLE_IMAGE_LIBARAY) +diff --git a/src/cmd/isula/images/login.h b/src/cmd/isula/images/login.h +index 5f9a676c..38829cba 100644 +--- a/src/cmd/isula/images/login.h ++++ b/src/cmd/isula/images/login.h +@@ -24,16 +24,28 @@ + extern "C" { + #endif + ++#ifdef ENABLE_LOGIN_PASSWORD_OPTION + #define LOGIN_OPTIONS(cmdargs) \ +- { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \ +- { CMD_OPT_TYPE_STRING_DUP, false, "password", 'p', &(cmdargs).password, "Password", NULL }, \ +- { CMD_OPT_TYPE_BOOL, \ +- false, \ +- "password-stdin", \ +- 0, \ +- &(cmdargs).password_stdin, \ +- "Take the password from stdin", \ ++ { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \ ++ { CMD_OPT_TYPE_STRING_DUP, false, "password", 'p', &(cmdargs).password, "Password", NULL }, \ ++ { CMD_OPT_TYPE_BOOL, \ ++ false, \ ++ "password-stdin", \ ++ 0, \ ++ &(cmdargs).password_stdin, \ ++ "Take the password from stdin", \ + NULL }, ++#else ++#define LOGIN_OPTIONS(cmdargs) \ ++ { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \ ++ { CMD_OPT_TYPE_BOOL, \ ++ false, \ ++ "password-stdin", \ ++ 0, \ ++ &(cmdargs).password_stdin, \ ++ "Take the password from stdin", \ ++ NULL }, ++#endif + + extern const char g_cmd_login_desc[]; + extern const char g_cmd_login_usage[]; +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index 8369f9e2..4740f91a 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -1685,10 +1685,12 @@ int main(int argc, char **argv) + goto failure; + } + ++#ifdef ENABLE_PLUGIN + if (start_plugin_manager()) { + ERROR("Failed to init plugin_manager"); + goto failure; + } ++#endif + + clock_gettime(CLOCK_MONOTONIC, &t_end); + use_time = (double)(t_end.tv_sec - t_start.tv_sec) * (double)1000000000 + (double)(t_end.tv_nsec - t_start.tv_nsec); +diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c +index 9c097121..377aa1aa 100644 +--- a/src/daemon/executor/container_cb/execution_create.c ++++ b/src/daemon/executor/container_cb/execution_create.c +@@ -1499,6 +1499,7 @@ int container_create_cb(const container_create_request *request, container_creat + goto clean_netns; + } + ++#ifdef ENABLE_PLUGIN + /* modify oci_spec by plugin. */ + if (plugin_event_container_pre_create(id, oci_spec) != 0) { + ERROR("Plugin event pre create failed"); +@@ -1506,6 +1507,7 @@ int container_create_cb(const container_create_request *request, container_creat + cc = ISULAD_ERR_EXEC; + goto clean_netns; + } ++#endif + + host_channel = dup_host_channel(host_spec->host_channel); + if (prepare_host_channel(host_channel, host_spec->user_remap)) { +diff --git a/src/daemon/modules/CMakeLists.txt b/src/daemon/modules/CMakeLists.txt +index 5d13412b..a70c094f 100644 +--- a/src/daemon/modules/CMakeLists.txt ++++ b/src/daemon/modules/CMakeLists.txt +@@ -3,7 +3,6 @@ + aux_source_directory(${CMAKE_CURRENT_SOURCE_DIR} modules_top_srcs) + add_subdirectory(runtime) + add_subdirectory(image) +-add_subdirectory(plugin) + add_subdirectory(spec) + add_subdirectory(container) + add_subdirectory(log) +@@ -17,7 +16,6 @@ set(local_modules_srcs + ${modules_top_srcs} + ${RUNTIME_SRCS} + ${IMAGE_SRCS} +- ${PLUGIN_SRCS} + ${SPEC_SRCS} + ${MANAGER_SRCS} + ${LOG_GATHER_SRCS} +@@ -31,7 +29,6 @@ set(local_modules_incs + ${CMAKE_CURRENT_SOURCE_DIR} + ${RUNTIME_INCS} + ${IMAGE_INCS} +- ${PLUGIN_INCS} + ${SPEC_INCS} + ${MANAGER_INCS} + ${LOG_GATHER_INCS} +@@ -42,6 +39,16 @@ set(local_modules_incs + ${VOLUME_INCS} + ) + ++if (ENABLE_PLUGIN) ++ add_subdirectory(plugin) ++ list(APPEND local_modules_srcs ++ ${PLUGIN_SRCS} ++ ) ++ list(APPEND local_modules_incs ++ ${PLUGIN_INCS} ++ ) ++endif() ++ + set(MODULES_SRCS + ${local_modules_srcs} + PARENT_SCOPE +diff --git a/src/daemon/modules/api/CMakeLists.txt b/src/daemon/modules/api/CMakeLists.txt +index f577c45f..0735b25a 100644 +--- a/src/daemon/modules/api/CMakeLists.txt ++++ b/src/daemon/modules/api/CMakeLists.txt +@@ -9,3 +9,6 @@ set(MODULES_API_INCS + PARENT_SCOPE + ) + ++if (NOT ENABLE_PLUGIN) ++ list(REMOVE_ITEM MODULES_API_INCS "${CMAKE_CURRENT_SOURCE_DIR}/plugin_api.h") ++endif() +diff --git a/src/daemon/modules/container/container_events_handler.c b/src/daemon/modules/container/container_events_handler.c +index d78e6fc1..d56c2ee0 100644 +--- a/src/daemon/modules/container/container_events_handler.c ++++ b/src/daemon/modules/container/container_events_handler.c +@@ -155,7 +155,9 @@ static int container_state_changed(container_t *cont, const struct isulad_events + } else { + container_state_set_stopped(cont->state, (int)events->exit_status); + container_wait_stop_cond_broadcast(cont); ++#ifdef ENABLE_PLUGIN + plugin_event_container_post_stop(cont); ++#endif + } + + auto_remove = !should_restart && cont->hostconfig != NULL && cont->hostconfig->auto_remove; +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 1fa2559d..2d393f62 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -807,12 +807,14 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + open_stdin = cont->common_config->config->open_stdin; + } + ++#ifdef ENABLE_PLUGIN + if (plugin_event_container_pre_start(cont)) { + ERROR("Plugin event pre start failed "); + plugin_event_container_post_stop(cont); /* ignore error */ + ret = -1; + goto close_exit_fd; + } ++#endif + + #ifdef ENABLE_CRI_API_V1 + if (cont->common_config->sandbox_info != NULL && +@@ -1370,7 +1372,9 @@ int delete_container(container_t *cont, bool force) + } + } + ++#ifdef ENABLE_PLUGIN + plugin_event_container_post_remove(cont); ++#endif + + ret = do_delete_container(cont); + if (ret != 0) { +-- +2.25.1 + diff --git a/0023-2161-bugfix-for-api-cmakelist.patch b/0023-2161-bugfix-for-api-cmakelist.patch new file mode 100644 index 0000000000000000000000000000000000000000..94c5b6e9e5842d0f351d13a2bf101d0a189b2e06 --- /dev/null +++ b/0023-2161-bugfix-for-api-cmakelist.patch @@ -0,0 +1,25 @@ +From 6b02ac8055379fa0b907f5ed10c5bd974cade90f Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Thu, 31 Aug 2023 01:55:41 +0000 +Subject: [PATCH 23/32] !2161 bugfix for api cmakelist * bugfix for api + cmakelist + +--- + src/daemon/modules/api/CMakeLists.txt | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/daemon/modules/api/CMakeLists.txt b/src/daemon/modules/api/CMakeLists.txt +index 0735b25a..357566fa 100644 +--- a/src/daemon/modules/api/CMakeLists.txt ++++ b/src/daemon/modules/api/CMakeLists.txt +@@ -8,7 +8,3 @@ set(MODULES_API_INCS + ${CMAKE_CURRENT_SOURCE_DIR} + PARENT_SCOPE + ) +- +-if (NOT ENABLE_PLUGIN) +- list(REMOVE_ITEM MODULES_API_INCS "${CMAKE_CURRENT_SOURCE_DIR}/plugin_api.h") +-endif() +-- +2.25.1 + diff --git a/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch b/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch new file mode 100644 index 0000000000000000000000000000000000000000..eee611a5446c388560684f70b5d4da2a96d2780e --- /dev/null +++ b/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch @@ -0,0 +1,140 @@ +From 64f94112728f35ee76d56fa4cf6dc41bd5cd5d33 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sat, 2 Sep 2023 08:56:38 +0000 +Subject: [PATCH 24/32] !2165 preventing the use of insecure isulad tmpdir + directory * preventing the use of insecure isulad tmpdir directory + +--- + src/common/constants.h | 2 + + .../container/leftover_cleanup/cleanup.c | 66 ++++++++++++++++++- + src/daemon/modules/image/oci/utils_images.c | 10 +++ + 3 files changed, 77 insertions(+), 1 deletion(-) + +diff --git a/src/common/constants.h b/src/common/constants.h +index d93bb464..c0417263 100644 +--- a/src/common/constants.h ++++ b/src/common/constants.h +@@ -50,6 +50,8 @@ extern "C" { + + #define TEMP_DIRECTORY_MODE 0700 + ++#define ISULAD_TEMP_DIRECTORY_MODE 0660 ++ + #define CONSOLE_FIFO_DIRECTORY_MODE 0770 + + #define SOCKET_GROUP_DIRECTORY_MODE 0660 +diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c +index 9a38ffc2..f24ec467 100644 +--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c ++++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c +@@ -13,6 +13,8 @@ + * Description: provide cleanup functions + *********************************************************************************/ + #include ++#include ++#include + + #include "utils.h" + #include "utils_fs.h" +@@ -169,6 +171,67 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su + return true; + } + ++static int isulad_tmpdir_security_check(const char *tmpdir) ++{ ++ struct stat st = { 0 }; ++ ++ if (lstat(tmpdir, &st) != 0) { ++ SYSERROR("Failed to lstat %s", tmpdir); ++ return -1; ++ } ++ ++ if (!S_ISDIR(st.st_mode)) { ++ return -1; ++ } ++ ++ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) { ++ return -1; ++ } ++ ++ if (st.st_uid != 0) { ++ return -1; ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ return -1; ++ } ++ ++ return 0; ++} ++ ++static int recreate_tmpdir(const char *tmpdir) ++{ ++ int ret; ++ struct stat st = { 0 }; ++ ++ if (util_recursive_rmdir(tmpdir, 0)) { ++ ERROR("Failed to remove directory %s", tmpdir); ++ return -1; ++ } ++ ++ if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) { ++ ERROR("Failed to create directory %s", tmpdir); ++ return -1; ++ } ++ ++ if (lstat(tmpdir, &st) != 0) { ++ SYSERROR("Failed to lstat %s", tmpdir); ++ return -1; ++ } ++ ++ return ret; ++} ++ ++static int ensure_isulad_tmpdir_security(const char *tmpdir) ++{ ++ if (isulad_tmpdir_security_check(tmpdir) == 0) { ++ return 0; ++ } ++ ++ INFO("iSulad tmpdir does not meet security requirements, recreate it"); ++ return recreate_tmpdir(tmpdir); ++} ++ + static void cleanup_path(char *dir) + { + int nret; +@@ -186,7 +249,8 @@ static void cleanup_path(char *dir) + return; + } + +- if (!util_dir_exists(cleanpath)) { ++ // preventing the use of insecure isulad tmpdir directory ++ if (ensure_isulad_tmpdir_security(cleanpath) != 0) { + return; + } + +diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c +index f8fd1e73..4342db5b 100644 +--- a/src/daemon/modules/image/oci/utils_images.c ++++ b/src/daemon/modules/image/oci/utils_images.c +@@ -630,6 +630,16 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir) + goto out; + } + ++ if ((st.st_mode & 0777) != TEMP_DIRECTORY_MODE) { ++ ret = -1; ++ goto out; ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ ret = -1; ++ goto out; ++ } ++ + // chown to root + ret = lchown(isulad_tmpdir, 0, 0); + if (ret == 0 || (ret == EPERM && st.st_uid == 0 && st.st_gid == 0)) { +-- +2.25.1 + diff --git a/0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch b/0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch new file mode 100644 index 0000000000000000000000000000000000000000..52d66b2aee22ceebacd30458c3fb94a408e7f422 --- /dev/null +++ b/0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch @@ -0,0 +1,238 @@ +From c2af7f7d7f6b0f1aaa884204a037e8275092121a Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sat, 2 Sep 2023 10:38:29 +0000 +Subject: [PATCH 25/32] !2166 move ensure_isulad_tmpdir_security function to + main.c * move ensure_isulad_tmpdir_security function to main.c + +--- + src/cmd/isulad/main.c | 101 ++++++++++++++++++ + .../container/leftover_cleanup/cleanup.c | 66 +----------- + src/utils/tar/util_archive.c | 2 +- + 3 files changed, 103 insertions(+), 66 deletions(-) + +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index 4740f91a..e32fed6a 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -1222,6 +1222,101 @@ out: + return ret; + } + ++static int isulad_tmpdir_security_check(const char *tmp_dir) ++{ ++ struct stat st = { 0 }; ++ ++ if (lstat(tmp_dir, &st) != 0) { ++ SYSERROR("Failed to lstat %s", tmp_dir); ++ return -1; ++ } ++ ++ if (!S_ISDIR(st.st_mode)) { ++ return -1; ++ } ++ ++ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) { ++ return -1; ++ } ++ ++ if (st.st_uid != 0) { ++ return -1; ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ return -1; ++ } ++ ++ return 0; ++} ++ ++static int recreate_tmpdir(const char *tmp_dir) ++{ ++ if (util_recursive_rmdir(tmp_dir, 0) != 0) { ++ ERROR("Failed to remove directory %s", tmp_dir); ++ return -1; ++ } ++ ++ if (util_mkdir_p(tmp_dir, ISULAD_TEMP_DIRECTORY_MODE) != 0) { ++ ERROR("Failed to create directory %s", tmp_dir); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++static int do_ensure_isulad_tmpdir_security(const char *isulad_tmp_dir) ++{ ++ int nret; ++ char tmp_dir[PATH_MAX] = { 0 }; ++ char cleanpath[PATH_MAX] = { 0 }; ++ ++ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmp_dir); ++ if (nret < 0 || (size_t)nret >= PATH_MAX) { ++ ERROR("Failed to snprintf"); ++ return -1; ++ } ++ ++ if (util_clean_path(tmp_dir, cleanpath, sizeof(cleanpath)) == NULL) { ++ ERROR("Failed to clean path for %s", tmp_dir); ++ return -1; ++ } ++ ++ if (isulad_tmpdir_security_check(cleanpath) == 0) { ++ return 0; ++ } ++ ++ INFO("iSulad tmpdir: %s does not meet security requirements, recreate it", isulad_tmp_dir); ++ return recreate_tmpdir(cleanpath); ++} ++ ++static int ensure_isulad_tmpdir_security() ++{ ++ char *isulad_tmp_dir = NULL; ++ ++ isulad_tmp_dir = getenv("ISULAD_TMPDIR"); ++ if (!util_valid_str(isulad_tmp_dir)) { ++ isulad_tmp_dir = "/tmp"; ++ } ++ ++ if (do_ensure_isulad_tmpdir_security(isulad_tmp_dir) != 0) { ++ ERROR("Failed to ensure the %s directory is a safe directory", isulad_tmp_dir); ++ return -1; ++ } ++ ++ if (strcmp(isulad_tmp_dir, "/tmp") == 0) { ++ return 0; ++ } ++ ++ // No matter whether ISULAD_TMPDIR is set or not, ++ // ensure the "/tmp" directory is a safe directory ++ if (do_ensure_isulad_tmpdir_security("/tmp") != 0) { ++ WARN("Failed to ensure the /tmp directory is a safe directory"); ++ } ++ ++ return 0; ++} ++ + static int isulad_server_init_common() + { + int ret = -1; +@@ -1261,6 +1356,12 @@ static int isulad_server_init_common() + goto out; + } + ++ // preventing the use of insecure isulad tmpdir directory ++ if (ensure_isulad_tmpdir_security() != 0) { ++ ERROR("Failed to ensure isulad tmpdir security"); ++ goto out; ++ } ++ + if (volume_init(args->json_confs->graph) != 0) { + ERROR("Failed to init volume"); + goto out; +diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c +index f24ec467..9a38ffc2 100644 +--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c ++++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c +@@ -13,8 +13,6 @@ + * Description: provide cleanup functions + *********************************************************************************/ + #include +-#include +-#include + + #include "utils.h" + #include "utils_fs.h" +@@ -171,67 +169,6 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su + return true; + } + +-static int isulad_tmpdir_security_check(const char *tmpdir) +-{ +- struct stat st = { 0 }; +- +- if (lstat(tmpdir, &st) != 0) { +- SYSERROR("Failed to lstat %s", tmpdir); +- return -1; +- } +- +- if (!S_ISDIR(st.st_mode)) { +- return -1; +- } +- +- if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) { +- return -1; +- } +- +- if (st.st_uid != 0) { +- return -1; +- } +- +- if (S_ISLNK(st.st_mode)) { +- return -1; +- } +- +- return 0; +-} +- +-static int recreate_tmpdir(const char *tmpdir) +-{ +- int ret; +- struct stat st = { 0 }; +- +- if (util_recursive_rmdir(tmpdir, 0)) { +- ERROR("Failed to remove directory %s", tmpdir); +- return -1; +- } +- +- if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) { +- ERROR("Failed to create directory %s", tmpdir); +- return -1; +- } +- +- if (lstat(tmpdir, &st) != 0) { +- SYSERROR("Failed to lstat %s", tmpdir); +- return -1; +- } +- +- return ret; +-} +- +-static int ensure_isulad_tmpdir_security(const char *tmpdir) +-{ +- if (isulad_tmpdir_security_check(tmpdir) == 0) { +- return 0; +- } +- +- INFO("iSulad tmpdir does not meet security requirements, recreate it"); +- return recreate_tmpdir(tmpdir); +-} +- + static void cleanup_path(char *dir) + { + int nret; +@@ -249,8 +186,7 @@ static void cleanup_path(char *dir) + return; + } + +- // preventing the use of insecure isulad tmpdir directory +- if (ensure_isulad_tmpdir_security(cleanpath) != 0) { ++ if (!util_dir_exists(cleanpath)) { + return; + } + +diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c +index 82194654..82e940a5 100644 +--- a/src/utils/tar/util_archive.c ++++ b/src/utils/tar/util_archive.c +@@ -220,7 +220,7 @@ static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, ch + } + + // ensure parent dir is exist +- if (util_mkdir_p(cleanpath, buf.st_mode) != 0) { ++ if (util_mkdir_p(cleanpath, ISULAD_TEMP_DIRECTORY_MODE) != 0) { + return -1; + } + +-- +2.25.1 + diff --git a/0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch b/0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch new file mode 100644 index 0000000000000000000000000000000000000000..0043b81576d824a8dc36e63c5c13d437af5d1bc1 --- /dev/null +++ b/0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch @@ -0,0 +1,110 @@ +From 4e6473570e3a5cd59585818216218a7a512790a5 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 4 Sep 2023 08:45:55 +0000 +Subject: [PATCH 26/32] !2169 using macros to isolate isulad's enable_plugin + configuration option * using macros to isolate isulad's enable_plugin + configuration option + +--- + src/cmd/isulad/isulad_commands.h | 15 +++++++++++---- + src/common/constants.h | 2 ++ + src/daemon/config/isulad_config.c | 4 ++++ + src/daemon/config/isulad_config.h | 2 ++ + 4 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/cmd/isulad/isulad_commands.h b/src/cmd/isulad/isulad_commands.h +index 6a8220cc..05d3551c 100644 +--- a/src/cmd/isulad/isulad_commands.h ++++ b/src/cmd/isulad/isulad_commands.h +@@ -78,6 +78,16 @@ int command_default_ulimit_append(command_option_t *option, const char *arg); + #define USERNS_REMAP_OPT(cmdargs) + #endif + ++#ifdef ENABLE_PLUGIN ++#define PLUGINS_OPT(cmdargs) \ ++ { CMD_OPT_TYPE_STRING_DUP, \ ++ false, "enable-plugins", 0, &(cmdargs)->json_confs->enable_plugins, \ ++ "Enable plugins for all containers", NULL \ ++ }, ++#else ++#define PLUGINS_OPT(cmdargs) ++#endif ++ + #ifdef ENABLE_GRPC_REMOTE_CONNECT + #define ISULAD_TLS_OPTIONS(cmdargs) \ + { CMD_OPT_TYPE_STRING_DUP, \ +@@ -326,10 +336,7 @@ int command_default_ulimit_append(command_option_t *option, const char *arg); + false, "cpu-rt-runtime", 0, &(cmdargs)->json_confs->cpu_rt_runtime, \ + "Limit CPU real-time runtime in microseconds for all containers", command_convert_llong \ + }, \ +- { CMD_OPT_TYPE_STRING_DUP, \ +- false, "enable-plugins", 0, &(cmdargs)->json_confs->enable_plugins, \ +- "Enable plugins for all containers", NULL \ +- }, \ ++ PLUGINS_OPT(cmdargs) \ + { CMD_OPT_TYPE_CALLBACK, \ + false, "cri-runtime", 0, (cmdargs), \ + "CRI runtime class transform", server_callback_cri_runtime \ +diff --git a/src/common/constants.h b/src/common/constants.h +index c0417263..f98fb930 100644 +--- a/src/common/constants.h ++++ b/src/common/constants.h +@@ -134,9 +134,11 @@ extern "C" { + + #define AUTH_PLUGIN "authz-broker" + ++#ifdef ENABLE_PLUGIN + #define ISULAD_ENABLE_PLUGINS "ISULAD_ENABLE_PLUGINS" + #define ISULAD_ENABLE_PLUGINS_SEPERATOR "," + #define ISULAD_ENABLE_PLUGINS_SEPERATOR_CHAR ',' ++#endif + + #ifdef ENABLE_NETWORK + #define ISULAD_CNI_NETWORK_CONF_FILE_PRE "isulacni-" +diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c +index f600f0cf..72722c30 100644 +--- a/src/daemon/config/isulad_config.c ++++ b/src/daemon/config/isulad_config.c +@@ -1253,6 +1253,7 @@ out: + return result; + } + ++#ifdef ENABLE_PLUGIN + char *conf_get_enable_plugins(void) + { + struct service_arguments *conf = NULL; +@@ -1274,6 +1275,7 @@ out: + (void)isulad_server_conf_unlock(); + return plugins; + } ++#endif + + #ifdef ENABLE_USERNS_REMAP + char *conf_get_isulad_userns_remap(void) +@@ -1739,7 +1741,9 @@ int merge_json_confs_into_global(struct service_arguments *args) + override_string_value(&args->json_confs->pidfile, &tmp_json_confs->pidfile); + // iSulad runtime execution options + override_string_value(&args->json_confs->hook_spec, &tmp_json_confs->hook_spec); ++#ifdef ENABLE_PLUGIN + override_string_value(&args->json_confs->enable_plugins, &tmp_json_confs->enable_plugins); ++#endif + #ifdef ENABLE_USERNS_REMAP + override_string_value(&args->json_confs->userns_remap, &tmp_json_confs->userns_remap); + #endif +diff --git a/src/daemon/config/isulad_config.h b/src/daemon/config/isulad_config.h +index 4fe1acdc..459ea331 100644 +--- a/src/daemon/config/isulad_config.h ++++ b/src/daemon/config/isulad_config.h +@@ -60,7 +60,9 @@ int conf_get_container_log_opts(isulad_daemon_configs_container_log **opts); + + char *conf_get_isulad_log_file(void); + char *conf_get_engine_log_file(void); ++#ifdef ENABLE_PLUGIN + char *conf_get_enable_plugins(void); ++#endif + #ifdef ENABLE_USERNS_REMAP + char *conf_get_isulad_userns_remap(void); + #endif +-- +2.25.1 + diff --git a/0027-2178-clean-path-for-fpath-and-verify-chain-id.patch b/0027-2178-clean-path-for-fpath-and-verify-chain-id.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f3bd8c28486d57a8a257df9d062aac0f424c1aa --- /dev/null +++ b/0027-2178-clean-path-for-fpath-and-verify-chain-id.patch @@ -0,0 +1,87 @@ +From 6dcde807f5bba8ff1aa7d049856f3eddd4b0586f Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sat, 9 Sep 2023 06:48:39 +0000 +Subject: [PATCH 27/32] !2178 clean path for fpath and verify chain id Merge + pull request !2178 from zhongtao/image + +--- + src/daemon/modules/image/oci/oci_load.c | 30 +++++++++++++++++-- + .../modules/image/oci/registry/registry.c | 2 +- + 2 files changed, 28 insertions(+), 4 deletions(-) + +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index 569c5346..fd707330 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -27,8 +27,10 @@ + #include + #include + #include ++#include + + #include "utils.h" ++#include "path.h" + #include "isula_libutils/log.h" + #include "util_archive.h" + #include "storage.h" +@@ -717,6 +719,9 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items + } + + for (; i < conf->rootfs->diff_ids_len; i++) { ++ char *fpath = NULL; ++ char cleanpath[PATH_MAX] = { 0 }; ++ + im->layers[i] = util_common_calloc_s(sizeof(load_layer_blob_t)); + if (im->layers[i] == NULL) { + ERROR("Out of memory"); +@@ -724,12 +729,31 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items + goto out; + } + +- im->layers[i]->fpath = util_path_join(dstdir, manifest->layers[i]); +- if (im->layers[i]->fpath == NULL) { +- ERROR("Path join failed"); ++ fpath = util_path_join(dstdir, manifest->layers[i]); ++ if (fpath == NULL) { ++ ERROR("Failed to join path"); ++ ret = -1; ++ goto out; ++ } ++ ++ if (util_clean_path(fpath, cleanpath, sizeof(cleanpath)) == NULL) { ++ ERROR("Failed to clean path for %s", fpath); ++ free(fpath); ++ ret = -1; ++ goto out; ++ } ++ ++ free(fpath); ++ ++ // verify whether the prefix of the path is dstdir to prevent illegal directories ++ if (strncmp(cleanpath, dstdir, strlen(dstdir)) != 0) { ++ ERROR("Illegal directory: %s", cleanpath); + ret = -1; + goto out; + } ++ ++ im->layers[i]->fpath = util_strdup_s(cleanpath); ++ + // The format is sha256:xxx + im->layers[i]->chain_id = oci_load_calc_chain_id(parent_chain_id_sha256, conf->rootfs->diff_ids[i]); + if (im->layers[i]->chain_id == NULL) { +diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c +index e0b46e2e..35753c79 100644 +--- a/src/daemon/modules/image/oci/registry/registry.c ++++ b/src/daemon/modules/image/oci/registry/registry.c +@@ -600,7 +600,7 @@ static int register_layer(pull_descriptor *desc, size_t i) + return 0; + } + +- id = util_without_sha256_prefix(desc->layers[i].chain_id); ++ id = oci_image_id_from_digest(desc->layers[i].chain_id); + if (id == NULL) { + ERROR("layer %zu have NULL digest for image %s", i, desc->image_name); + return -1; +-- +2.25.1 + diff --git a/0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch b/0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch new file mode 100644 index 0000000000000000000000000000000000000000..8410732f92307dd2f73a14f300ada0822370210c --- /dev/null +++ b/0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch @@ -0,0 +1,35 @@ +From a291302fe12e21207c30ebffebf852cb37aface4 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sat, 9 Sep 2023 08:11:06 +0000 +Subject: [PATCH 28/32] !2179 modify the permissions of tmpdir and file lock to + 600 Merge pull request !2179 from zhongtao/mode + +--- + src/common/constants.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/common/constants.h b/src/common/constants.h +index f98fb930..caf9b793 100644 +--- a/src/common/constants.h ++++ b/src/common/constants.h +@@ -50,7 +50,7 @@ extern "C" { + + #define TEMP_DIRECTORY_MODE 0700 + +-#define ISULAD_TEMP_DIRECTORY_MODE 0660 ++#define ISULAD_TEMP_DIRECTORY_MODE 0600 + + #define CONSOLE_FIFO_DIRECTORY_MODE 0770 + +@@ -70,7 +70,7 @@ extern "C" { + + #define DEFAULT_HIGHEST_DIRECTORY_MODE 0755 + +-#define MOUNT_FLOCK_FILE_MODE 0660 ++#define MOUNT_FLOCK_FILE_MODE 0600 + + #define ISULAD_CONFIG SYSCONFDIR_PREFIX"/etc/isulad" + +-- +2.25.1 + diff --git a/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch b/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch new file mode 100644 index 0000000000000000000000000000000000000000..c8954ed3198ff1cb624f21b154d4707cb6e2a153 --- /dev/null +++ b/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch @@ -0,0 +1,202 @@ +From 460c943125d9eca7cb4259d42c6c008a709e9dbe Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Wed, 23 Aug 2023 15:42:42 +0800 +Subject: [PATCH 29/32] [image] ensure id of loaded and pulled image is valid + +Signed-off-by: haozi007 +--- + src/daemon/modules/image/oci/oci_import.c | 14 ++++++++++--- + src/daemon/modules/image/oci/oci_load.c | 21 ++++++------------- + .../modules/image/oci/registry/registry.c | 8 ++++++- + src/daemon/modules/image/oci/utils_images.c | 17 ++++++++++++++- + src/daemon/modules/image/oci/utils_images.h | 3 +++ + src/utils/cutils/utils.h | 2 -- + src/utils/sha256/sha256.c | 1 - + 7 files changed, 43 insertions(+), 23 deletions(-) + +diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c +index 1e14a916..0568c23f 100644 +--- a/src/daemon/modules/image/oci/oci_import.c ++++ b/src/daemon/modules/image/oci/oci_import.c +@@ -93,7 +93,7 @@ static int register_layer(import_desc *desc) + return -1; + } + +- id = util_without_sha256_prefix(desc->uncompressed_digest); ++ id = oci_image_id_from_digest(desc->uncompressed_digest); + if (id == NULL) { + ERROR("Invalid NULL param"); + return -1; +@@ -315,8 +315,16 @@ static int register_image(import_desc *desc) + opts.create_time = &desc->now_time; + opts.digest = desc->manifest_digest; + +- image_id = util_without_sha256_prefix(desc->config_digest); +- top_layer_id = util_without_sha256_prefix(desc->uncompressed_digest); ++ image_id = oci_image_id_from_digest(desc->config_digest); ++ if (image_id == NULL) { ++ ret = -1; ++ goto out; ++ } ++ top_layer_id = oci_image_id_from_digest(desc->uncompressed_digest); ++ if (top_layer_id == NULL) { ++ ret = -1; ++ goto out; ++ } + ret = storage_img_create(image_id, top_layer_id, NULL, &opts); + if (ret != 0) { + pre_top_layer = storage_get_img_top_layer(image_id); +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index fd707330..31ae3849 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -290,16 +290,6 @@ out: + return full_digest; + } + +-static char *oci_load_without_sha256_prefix(char *digest) +-{ +- if (digest == NULL) { +- ERROR("Invalid digest NULL when strip sha256 prefix"); +- return NULL; +- } +- +- return digest + strlen(SHA256_PREFIX); +-} +- + static int registry_layer_from_tarball(const load_layer_blob_t *layer, const char *id, const char *parent) + { + int ret = 0; +@@ -345,7 +335,7 @@ static int oci_load_register_layers(load_image_t *desc) + } + + for (i = 0; i < desc->layers_len; i++) { +- id = oci_load_without_sha256_prefix(desc->layers[i]->chain_id); ++ id = oci_image_id_from_digest(desc->layers[i]->chain_id); + if (id == NULL) { + ERROR("layer %zu have NULL digest for image %s", i, desc->im_id); + ret = -1; +@@ -457,7 +447,7 @@ static int oci_load_create_image(load_image_t *desc, const char *dst_tag) + top_layer_index = desc->layers_len - 1; + opts.create_time = ×tamp; + opts.digest = desc->manifest_digest; +- top_layer_id = oci_load_without_sha256_prefix(desc->layers[top_layer_index]->chain_id); ++ top_layer_id = oci_image_id_from_digest(desc->layers[top_layer_index]->chain_id); + if (top_layer_id == NULL) { + ERROR("NULL top layer id found for image %s", desc->im_id); + ret = -1; +@@ -764,7 +754,7 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items + } + parent_chain_id_sha256 = im->layers[i]->chain_id; + +- id = oci_load_without_sha256_prefix(im->layers[i]->chain_id); ++ id = oci_image_id_from_digest(im->layers[i]->chain_id); + if (id == NULL) { + ERROR("Wipe out sha256 prefix failed from layer with chain id : %s", im->layers[i]->chain_id); + ret = -1; +@@ -832,7 +822,8 @@ static load_image_t *oci_load_process_manifest(const image_manifest_items_elemen + goto out; + } + +- image_id = oci_load_without_sha256_prefix(image_digest); ++ // call util_valid_digest to ensure digest is valid, so image id is valid ++ image_id = oci_image_id_from_digest(image_digest); + if (image_id == NULL) { + ret = -1; + ERROR("Remove sha256 prefix error from image digest %s", image_digest); +@@ -872,7 +863,7 @@ static int64_t get_layer_size_from_storage(char *chain_id_pre) + return -1; + } + +- id = oci_load_without_sha256_prefix(chain_id_pre); ++ id = oci_image_id_from_digest(chain_id_pre); + if (id == NULL) { + ERROR("Get chain id failed from value:%s", chain_id_pre); + return -1; +diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c +index 35753c79..4124281d 100644 +--- a/src/daemon/modules/image/oci/registry/registry.c ++++ b/src/daemon/modules/image/oci/registry/registry.c +@@ -877,7 +877,13 @@ static int register_image(pull_descriptor *desc) + + // lock when create image to make sure image content all exist + mutex_lock(&g_shared->image_mutex); +- image_id = util_without_sha256_prefix(desc->config.digest); ++ image_id = oci_image_id_from_digest(desc->config.digest); ++ if (image_id == NULL) { ++ ERROR("Invalid digest: %s", desc->config.digest); ++ isulad_try_set_error_message("invalid image digest: %s", desc->config.digest); ++ ret = -1; ++ goto out; ++ } + ret = create_image(desc, image_id, &reuse); + if (ret != 0) { + ERROR("create image %s failed", desc->image_name); +diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c +index 4342db5b..f92ee59a 100644 +--- a/src/daemon/modules/image/oci/utils_images.c ++++ b/src/daemon/modules/image/oci/utils_images.c +@@ -691,4 +691,19 @@ int oci_split_search_name(const char *search_name, char **host, char **name) + + return 0; + } +-#endif +\ No newline at end of file ++#endif ++ ++char *oci_image_id_from_digest(char *digest) ++{ ++ if (digest == NULL) { ++ ERROR("Empty digest"); ++ return NULL; ++ } ++ ++ if (!util_valid_digest(digest)) { ++ ERROR("Load image with invalid digest: %s", digest); ++ return NULL; ++ } ++ ++ return digest + strlen(SHA256_PREFIX); ++} +diff --git a/src/daemon/modules/image/oci/utils_images.h b/src/daemon/modules/image/oci/utils_images.h +index 2238bb91..ea0fb20a 100644 +--- a/src/daemon/modules/image/oci/utils_images.h ++++ b/src/daemon/modules/image/oci/utils_images.h +@@ -61,6 +61,9 @@ char *get_hostname_to_strip(void); + + char *oci_image_digest_pos(const char *name); + ++// return a pointer to digest string without 'sha256:' prefix ++char *oci_image_id_from_digest(char *digest); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h +index 83b20e5e..3acf0698 100644 +--- a/src/utils/cutils/utils.h ++++ b/src/utils/cutils/utils.h +@@ -388,8 +388,6 @@ int util_generate_random_str(char *id, size_t len); + + int util_check_inherited_exclude_fds(bool closeall, int *fds_to_ignore, size_t len_fds); + +-char *util_without_sha256_prefix(char *digest); +- + int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_variant); + + int util_read_pid_ppid_info(uint32_t pid, pid_ppid_info_t *pid_info); +diff --git a/src/utils/sha256/sha256.c b/src/utils/sha256/sha256.c +index 54cc2862..4e692355 100644 +--- a/src/utils/sha256/sha256.c ++++ b/src/utils/sha256/sha256.c +@@ -388,7 +388,6 @@ char *sha256_full_digest_str(char *str) + char *util_without_sha256_prefix(char *digest) + { + if (digest == NULL || !util_has_prefix(digest, SHA256_PREFIX)) { +- ERROR("Invalid digest when strip sha256 prefix"); + return NULL; + } + +-- +2.25.1 + diff --git a/0030-mask-proxy-informations.patch b/0030-mask-proxy-informations.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c743938156774e07af7357dbcc4ffaef22b531a --- /dev/null +++ b/0030-mask-proxy-informations.patch @@ -0,0 +1,123 @@ +From ff67cabc3e3839ef4b539805ed54b5c826b6f446 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Mon, 4 Sep 2023 15:19:36 +0800 +Subject: [PATCH 30/32] mask proxy informations + +Signed-off-by: haozi007 +--- + .../container_cb/execution_information.c | 86 ++++++++++++++++--- + 1 file changed, 74 insertions(+), 12 deletions(-) + +diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c +index 2f3d3627..86bb2894 100644 +--- a/src/daemon/executor/container_cb/execution_information.c ++++ b/src/daemon/executor/container_cb/execution_information.c +@@ -176,24 +176,83 @@ out: + static int get_proxy_env(char **proxy, const char *type) + { + int ret = 0; +- char *tmp = NULL; +- +- *proxy = getenv(type); +- if (*proxy == NULL) { +- tmp = util_strings_to_upper(type); ++ int nret; ++ char *tmp_proxy = NULL; ++ char *col_pos = NULL; ++ char *at_pos = NULL; ++ size_t proxy_len; ++ const char *mask_str = "//xxxx:xxxx"; ++ ++ tmp_proxy = getenv(type); ++ if (tmp_proxy == NULL) { ++ char *tmp = util_strings_to_upper(type); + if (tmp == NULL) { + ERROR("Failed to upper string!"); +- ret = -1; +- goto out; +- } +- *proxy = getenv(tmp); +- if (*proxy == NULL) { +- *proxy = ""; ++ return -1; + } ++ tmp_proxy = getenv(tmp); ++ free(tmp); ++ } ++ ++ if (tmp_proxy == NULL) { ++ return 0; ++ } ++ ++ if (strlen(tmp_proxy) >= PATH_MAX) { ++ ERROR("Too long proxy string."); ++ return -1; ++ } ++ tmp_proxy = util_strdup_s(tmp_proxy); ++ ++ if (strcmp(NO_PROXY, type) == 0) { ++ *proxy = tmp_proxy; ++ return 0; ++ } ++ ++ // mask username and password of proxy ++ col_pos = strchr(tmp_proxy, ':'); ++ if (col_pos == NULL) { ++ ERROR("Invalid proxy."); ++ ret = -1; ++ goto out; ++ } ++ at_pos = strrchr(tmp_proxy, '@'); ++ if (at_pos == NULL) { ++ // no '@', represent no user information in proxy, ++ // just return original proxy ++ *proxy = tmp_proxy; ++ return 0; ++ } ++ ++ // first colon position must before than at position ++ if ((at_pos - col_pos) < 0) { ++ ret = -1; ++ goto out; + } + ++ // proxy with userinfo format like: 'http://xxx:xxx@xxxx.com' ++ // so masked proxy length = len(proxy) - (pos(@) - pos(:) + 1) + len(mask-str) + '\0' ++ proxy_len = strlen(tmp_proxy); ++ proxy_len -= (at_pos - tmp_proxy); ++ proxy_len += (col_pos - tmp_proxy) + 1; ++ proxy_len += strlen(mask_str) + 1; ++ *proxy = util_common_calloc_s(proxy_len); ++ if (*proxy == NULL) { ++ ERROR("Out of memory"); ++ ret = -1; ++ goto out; ++ } ++ *col_pos = '\0'; ++ nret = snprintf(*proxy, proxy_len, "%s:%s%s", tmp_proxy, mask_str, at_pos); ++ if (nret < 0 || nret >= proxy_len) { ++ ret = -1; ++ free(*proxy); ++ *proxy = NULL; ++ goto out; ++ } ++ + out: +- free(tmp); ++ util_free_sensitive_string(tmp_proxy); + return ret; + } + +@@ -340,6 +399,9 @@ static int isulad_info_cb(const host_info_request *request, host_info_response * + #endif + + pack_response: ++ free(http_proxy); ++ free(https_proxy); ++ free(no_proxy); + if (*response != NULL) { + (*response)->cc = cc; + } +-- +2.25.1 + diff --git a/0031-add-testcase-for-isula-info.patch b/0031-add-testcase-for-isula-info.patch new file mode 100644 index 0000000000000000000000000000000000000000..2777582d2c90808df3a7c9a1695a0e95d17e6663 --- /dev/null +++ b/0031-add-testcase-for-isula-info.patch @@ -0,0 +1,115 @@ +From e40f451f5b919ba4154cc6005439f6b4370a7ac3 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Mon, 4 Sep 2023 17:13:13 +0800 +Subject: [PATCH 31/32] add testcase for isula info + +Signed-off-by: haozi007 +--- + CI/test_cases/container_cases/info.sh | 95 +++++++++++++++++++++++++++ + 1 file changed, 95 insertions(+) + create mode 100755 CI/test_cases/container_cases/info.sh + +diff --git a/CI/test_cases/container_cases/info.sh b/CI/test_cases/container_cases/info.sh +new file mode 100755 +index 00000000..e6c03a49 +--- /dev/null ++++ b/CI/test_cases/container_cases/info.sh +@@ -0,0 +1,95 @@ ++#!/bin/bash ++# ++# attributes: isula info operator ++# concurrent: YES ++# spend time: 1 ++ ++####################################################################### ++##- Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. ++# - iSulad licensed under the Mulan PSL v2. ++# - You can use this software according to the terms and conditions of the Mulan PSL v2. ++# - You may obtain a copy of Mulan PSL v2 at: ++# - http://license.coscl.org.cn/MulanPSL2 ++# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# - PURPOSE. ++# - See the Mulan PSL v2 for more details. ++##- @Description:CI ++##- @Author: haozi007 ++##- @Create: 2023-09-04 ++####################################################################### ++ ++curr_path=$(dirname $(readlink -f "$0")) ++data_path=$(realpath $curr_path/../data) ++source ../helpers.sh ++ ++function do_test_t() ++{ ++ check_valgrind_log ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ export http_proxy="http://test:123456@testproxy.com" ++ export https_proxy="http://test:123456@testproxy.com" ++ export no_proxy="127.0.0.1" ++ start_isulad_with_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ isula info | grep "Http Proxy" | grep "http://xxxx:xxxx@testproxy.com" ++ fn_check_eq "$?" "0" "check http proxy failed" ++ isula info | grep "Https Proxy" | grep "http://xxxx:xxxx@testproxy.com" ++ fn_check_eq "$?" "0" "check https proxy failed" ++ isula info | grep "No Proxy" | grep "127.0.0.1" ++ fn_check_eq "$?" "0" "check no proxy failed" ++ ++ check_valgrind_log ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ export http_proxy="https://example.com" ++ export no_proxy="127.0.0.1" ++ start_isulad_with_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ isula info | grep "Http Proxy" | grep "https://example.com" ++ fn_check_eq "$?" "0" "check http proxy failed" ++ isula info | grep "No Proxy" | grep "127.0.0.1" ++ fn_check_eq "$?" "0" "check no proxy failed" ++ ++ check_valgrind_log ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ export http_proxy="http//abc.com" ++ export no_proxy="127.0.0.1:localhost" ++ start_isulad_with_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ isula info | grep "Http Proxy" ++ fn_check_ne "$?" "0" "check http proxy failed" ++ isula info | grep "No Proxy" ++ fn_check_ne "$?" "0" "check no proxy failed" ++ ++ check_valgrind_log ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ export http_proxy="http//xxxx@abc:abc.com" ++ export no_proxy="127.0.0.1" ++ start_isulad_with_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ isula info | grep "Http Proxy" ++ fn_check_ne "$?" "0" "check http proxy failed" ++ isula info | grep "No Proxy" ++ fn_check_ne "$?" "0" "check no proxy failed" ++ ++ check_valgrind_log ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ unset https_proxy http_proxy no_proxy ++ start_isulad_with_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ isula info | grep "Http Proxy" ++ fn_check_ne "$?" "0" "check http proxy failed" ++ isula info | grep "No Proxy" ++ fn_check_ne "$?" "0" "check no proxy failed" ++ ++ return $TC_RET_T ++} ++ ++ret=0 ++ ++do_test_t ++if [ $? -ne 0 ];then ++ let "ret=$ret + 1" ++fi ++ ++show_result $ret "basic info" +-- +2.25.1 + diff --git a/0032-fix-oci-import-compile-error.patch b/0032-fix-oci-import-compile-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..2c4d64c0e7e20217068842243c6cd679166228ca --- /dev/null +++ b/0032-fix-oci-import-compile-error.patch @@ -0,0 +1,25 @@ +From ff0bf5155c163c5230b3ac6d71e2dfc1ed6cfa01 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Tue, 12 Sep 2023 17:24:24 +0800 +Subject: [PATCH 32/32] fix oci import compile error + +Signed-off-by: haozi007 +--- + src/daemon/modules/image/oci/oci_import.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c +index 0568c23f..058107a4 100644 +--- a/src/daemon/modules/image/oci/oci_import.c ++++ b/src/daemon/modules/image/oci/oci_import.c +@@ -33,6 +33,7 @@ + #include "utils_file.h" + #include "utils_timestamp.h" + #include "util_archive.h" ++#include "utils_images.h" + + #define IMPORT_COMMENT "Imported from tarball" + #define ROOTFS_TYPE "layers" +-- +2.25.1 + diff --git a/0033-2188-Support-both-C-11-and-C-17.patch b/0033-2188-Support-both-C-11-and-C-17.patch new file mode 100644 index 0000000000000000000000000000000000000000..3e59bf99664e734d3d82238c440ca349671381da --- /dev/null +++ b/0033-2188-Support-both-C-11-and-C-17.patch @@ -0,0 +1,60 @@ +From bfd1b325eb93083ce4478c28aa61101ac553b458 Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Wed, 13 Sep 2023 02:16:12 +0000 +Subject: [PATCH 33/33] !2188 Support both C++11 and C++17 * Support both C++11 + and C++17 + +--- + cmake/set_build_flags.cmake | 11 ++++++++++- + test/fuzz/CMakeLists.txt | 13 ++++++++++++- + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/cmake/set_build_flags.cmake b/cmake/set_build_flags.cmake +index 09c85c65..38069791 100644 +--- a/cmake/set_build_flags.cmake ++++ b/cmake/set_build_flags.cmake +@@ -3,7 +3,16 @@ set(CMAKE_C_FLAGS "-fPIC -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -fP + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'") + + if (GRPC_CONNECTOR) +- set(CMAKE_CXX_FLAGS "-fPIC -std=c++17 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations") ++ include(CheckCXXCompilerFlag) ++ CHECK_CXX_COMPILER_FLAG("-std=c++17" COMPILER_SUPPORTS_CXX17) ++ if (COMPILER_SUPPORTS_CXX17) ++ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has C++17 support.") ++ set(CMAKE_CXX_VERSION "-std=c++17") ++ else() ++ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has no C++17 support. Use C++11.") ++ set(CMAKE_CXX_VERSION "-std=c++11") ++ endif() ++ set(CMAKE_CXX_FLAGS "-fPIC ${CMAKE_CXX_VERSION} -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'") + endif() + set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -shared -pthread") +diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt +index 617a168f..0682ffa3 100644 +--- a/test/fuzz/CMakeLists.txt ++++ b/test/fuzz/CMakeLists.txt +@@ -34,7 +34,18 @@ MESSAGE(STATUS "GCLANG_PP_BINARY is set to ${GCLANG_PP_BINARY}") + SET(CMAKE_C_COMPILER "${GCLANG_BINARY}") + SET(CMAKE_CXX_COMPILER "${GCLANG_PP_BINARY}") + SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 --coverage -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") +-SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++17 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") ++ ++include(CheckCXXCompilerFlag) ++CHECK_CXX_COMPILER_FLAG("-std=c++17" COMPILER_SUPPORTS_CXX17) ++if (COMPILER_SUPPORTS_CXX17) ++ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has C++17 support.") ++ set(CMAKE_CXX_VERSION "-std=c++17") ++else() ++ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has no C++17 support. Use C++11.") ++ set(CMAKE_CXX_VERSION "-std=c++11") ++endif() ++ ++SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage ${CMAKE_CXX_VERSION} -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") + SET(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}) + + SET(EXE0 test_volume_mount_spec_fuzz) +-- +2.40.1 + diff --git a/iSulad.spec b/iSulad.spec index 766c807744648d3b3a41c170ba85b4dc1e5f71cc..7e148e16d01a565254466e3b8c1e96ffc5f5c708 100644 --- a/iSulad.spec +++ b/iSulad.spec @@ -1,8 +1,10 @@ -%global _version 2.1.2 -%global _release 4 +%global _version 2.1.3 +%global _release 6 %global is_systemd 1 +%global enable_criv1 1 %global enable_shimv2 1 %global is_embedded 1 +%global cpp_std 17 Name: iSulad Version: %{_version} @@ -13,21 +15,39 @@ URL: https://gitee.com/openeuler/iSulad Source: https://gitee.com/openeuler/iSulad/repository/archive/v%{version}.tar.gz BuildRoot: {_tmppath}/iSulad-%{version} -Patch0001: 0001-convert-files-from-CRLF-to-LF.patch -Patch0002: 0002-restore-ping-head.patch -Patch0003: 0003-fix-health_check.sh.patch -Patch0004: 0004-ensure-isulad_io-not-NULL-before-close-fd.patch -Patch0005: 0005-recheck-delete-command-exit-status.patch -Patch0006: 0006-restore-execSync-return-value.patch -Patch0007: 0007-reinforce-cri_stream.sh-and-health_check.sh.patch -Patch0008: 0008-reinforce-omit-health_check.sh.patch -Patch0009: 0009-fix-memory-leak-and-array-access-out-of-range.patch -Patch0010: 0010-fix-memory-leak-of-top_layer.patch -Patch0011: 0011-distinguishing-exit-codes-between-shim-and-container.patch -Patch0012: 0012-fix-hugetlbs-malloc-length.patch -Patch0013: 0013-fix-forget-to-set-return-value.patch -Patch0014: 0014-ensure-define-in-local-and-use-correctly-type.patch -Patch0015: 0015-Revert-the-changes-in-util_smart_calloc_s.patch +Patch0001: 0001-2155-Use-reference-in-loop-in-listpodsandbox.patch +Patch0002: 0002-2156-Fix-sandbox-error-logging.patch +Patch0003: 0003-2158-Use-crictl-v1.22.0-for-ci.patch +Patch0004: 0004-2162-Fix-rename-issue-for-id-manager.patch +Patch0005: 0005-2163-add-bind-mount-file-lock.patch +Patch0006: 0006-2168-fix-code-bug.patch +Patch0007: 0007-2171-Fix-nullptr-in-src-daemon-entry.patch +Patch0008: 0008-Add-vsock-support-for-exec.patch +Patch0009: 0009-remove-unneccessary-strerror.patch +Patch0010: 0010-do-not-report-low-level-error-to-user.patch +Patch0011: 0011-remove-usage-of-strerror-with-user-defined-errno.patch +Patch0012: 0012-use-gmtime_r-to-replace-gmtime.patch +Patch0013: 0013-improve-report-error-message-of-client.patch +Patch0014: 0014-adapt-new-error-message-for-isula-cp.patch +Patch0015: 0015-2182-Add-mutex-for-container-list-in-sandbox.patch +Patch0016: 0016-2180-fix-execlp-not-enough-args.patch +Patch0017: 0017-2135-modify-incorrect-variable-type.patch +Patch0018: 0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch +Patch0019: 0019-remove-password-in-url-module-and-clean-sensitive-in.patch +Patch0020: 0020-2153-fix-codecheck.patch +Patch0021: 0021-2157-bugfix-for-memset.patch +Patch0022: 0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch +Patch0023: 0023-2161-bugfix-for-api-cmakelist.patch +Patch0024: 0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch +Patch0025: 0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch +Patch0026: 0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch +Patch0027: 0027-2178-clean-path-for-fpath-and-verify-chain-id.patch +Patch0028: 0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch +Patch0029: 0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch +Patch0030: 0030-mask-proxy-informations.patch +Patch0031: 0031-add-testcase-for-isula-info.patch +Patch0032: 0032-fix-oci-import-compile-error.patch +Patch0033: 0033-2188-Support-both-C-11-and-C-17.patch %ifarch x86_64 aarch64 Provides: libhttpclient.so()(64bit) @@ -56,10 +76,9 @@ Requires: sqlite BuildRequires: gtest-devel gmock-devel %endif -%define lcrver_lower 2.1.1-0 -%define lcrver_upper 2.1.2-0 +%define lcrver_lower 2.1.2-0 +%define lcrver_upper 2.1.3-0 -BuildRequires: lcr-devel > %{lcrver_lower} lcr-devel < %{lcrver_upper} BuildRequires: libisula-devel > %{lcrver_lower} libisula-devel < %{lcrver_upper} BuildRequires: cmake gcc-c++ yajl-devel lxc lxc-devel BuildRequires: grpc grpc-plugins grpc-devel protobuf-devel @@ -67,6 +86,7 @@ BuildRequires: libcurl libcurl-devel libarchive-devel device-mapper-devel BuildRequires: http-parser-devel BuildRequires: libseccomp-devel libcap-devel libselinux-devel libwebsockets libwebsockets-devel BuildRequires: systemd-devel git +BuildRequires: libevhtp-devel libevent-devel %if 0%{?enable_shimv2} BuildRequires: lib-shim-v2 lib-shim-v2-devel %endif @@ -79,6 +99,7 @@ Requires: libcurl Requires: http-parser libseccomp Requires: libcap libselinux libwebsockets libarchive device-mapper Requires: systemd +BuildRequires: libevhtp libevent %if 0%{?enable_shimv2} Requires: lib-shim-v2 %endif @@ -93,19 +114,31 @@ Runtime Daemon, written by C. %build mkdir -p build cd build +%cmake \ + -DDEBUG=ON \ + -DCMAKE_SKIP_RPATH=TRUE \ + -DLIB_INSTALL_DIR=%{_libdir} \ + -DCMAKE_INSTALL_PREFIX=/usr \ +%if 0%{?enable_criv1} + -DENABLE_CRI_API_V1=ON \ + -DENABLE_SANDBOXER=ON \ +%endif %if 0%{?enable_shimv2} -%if %{defined openeuler} -%cmake -DDEBUG=ON -DCMAKE_SKIP_RPATH=TRUE -DLIB_INSTALL_DIR=%{_libdir} -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_SHIM_V2=ON -DENABLE_UT=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ../ -%else -%cmake -DDEBUG=ON -DCMAKE_SKIP_RPATH=TRUE -DLIB_INSTALL_DIR=%{_libdir} -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_SHIM_V2=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ../ + -DENABLE_SHIM_V2=ON \ %endif -%else %if %{defined openeuler} -%cmake -DDEBUG=ON -DCMAKE_SKIP_RPATH=TRUE -DLIB_INSTALL_DIR=%{_libdir} -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_UT=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ../ -%else -%cmake -DDEBUG=ON -DCMAKE_SKIP_RPATH=TRUE -DLIB_INSTALL_DIR=%{_libdir} -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_GRPC_REMOTE_CONNECT=ON ../ + -DENABLE_UT=OFF \ %endif + -DENABLE_GRPC_REMOTE_CONNECT=OFF \ + -DENABLE_GRPC=ON \ + -DCMAKE_CXX_STANDARD=%{cpp_std} \ + ../ + +sed -i "10 a\# undef linux" grpc/src/api/services/cri/v1alpha/api.pb.h +%if 0%{?enable_criv1} +sed -i "10 a\# undef linux" grpc/src/api/services/cri/v1/api_v1.pb.h %endif + %make_build %check @@ -270,6 +303,12 @@ fi %endif %changelog +* Tue Sep 19 2023 zhongtao - 2.1.3-6 +- Type: sync +- ID: NA +- SUG: NA +- DESC: Synchronize branch with 23.09 + * Mon May 29 2023 zhangxiaoyu - 2.1.2-4 - Type: bugfix - ID: NA diff --git a/v2.1.2.tar.gz b/v2.1.3.tar.gz similarity index 60% rename from v2.1.2.tar.gz rename to v2.1.3.tar.gz index 05d616b6729e2cabb9fc113c82dc61c0b44fda38..3d5f1144ab1be6d1a1bffdd3555e991fe6787851 100644 Binary files a/v2.1.2.tar.gz and b/v2.1.3.tar.gz differ