From 148b383f9347c2aa2b3d9633720830d4d68db799 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Thu, 15 May 2025 15:22:36 +0800 Subject: [PATCH] sync patches from upstream --- 0201-bugfix-CI-add-lxc-failed.patch | 25 ++ ...kSettingsJson-alloc-dealloc-mismatch.patch | 50 ++++ ...I-heap-buffer-overflow-when-containe.patch | 217 ++++++++++++++++++ ...move-lxc-build-in-CI-to-avoid-failed.patch | 45 ++++ ...-to-host-you-must-connect-the-contai.patch | 68 ++++++ 0206-Fix-stray-character-issue.patch | 27 +++ ...rovement-resolve-invalid-return-code.patch | 64 ++++++ ...ugfix-fix-cdi-hook-name-strcmp-error.patch | 32 +++ ...-add-some-sandbox-ut-for-public-func.patch | 47 ++++ iSulad.spec | 17 +- 10 files changed, 591 insertions(+), 1 deletion(-) create mode 100644 0201-bugfix-CI-add-lxc-failed.patch create mode 100644 0202-bugfix-GetNetworkSettingsJson-alloc-dealloc-mismatch.patch create mode 100644 0203-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch create mode 100644 0204-bugfix-remove-lxc-build-in-CI-to-avoid-failed.patch create mode 100644 0205-when-publish-a-container-port-to-host-you-must-connect-the-contai.patch create mode 100644 0206-Fix-stray-character-issue.patch create mode 100644 0207-Code-improvement-resolve-invalid-return-code.patch create mode 100644 0208-bugfix-fix-cdi-hook-name-strcmp-error.patch create mode 100644 0209-add-some-sandbox-ut-for-public-func.patch diff --git a/0201-bugfix-CI-add-lxc-failed.patch b/0201-bugfix-CI-add-lxc-failed.patch new file mode 100644 index 0000000..673b192 --- /dev/null +++ b/0201-bugfix-CI-add-lxc-failed.patch @@ -0,0 +1,25 @@ +From 9fc17a72c241915a5376be8e4d3fb6d857b26ce0 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Sat, 29 Mar 2025 11:22:17 +0800 +Subject: [PATCH] bugfix:CI add lxc failed + +Signed-off-by: liuxu +--- + CI/pr-gateway.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/CI/pr-gateway.sh b/CI/pr-gateway.sh +index e3613e8e..60f99734 100755 +--- a/CI/pr-gateway.sh ++++ b/CI/pr-gateway.sh +@@ -37,6 +37,7 @@ rm -rf lxc + git clone https://gitee.com/src-openeuler/lxc.git + pushd lxc + rm -rf lxc-5.0.2 ++git config --global --add safe.directory $(pwd)/lxc-5.0.2 + ./apply-patches || exit 1 + pushd lxc-5.0.2 + mkdir -p build +-- +2.43.0 + diff --git a/0202-bugfix-GetNetworkSettingsJson-alloc-dealloc-mismatch.patch b/0202-bugfix-GetNetworkSettingsJson-alloc-dealloc-mismatch.patch new file mode 100644 index 0000000..44e8a20 --- /dev/null +++ b/0202-bugfix-GetNetworkSettingsJson-alloc-dealloc-mismatch.patch @@ -0,0 +1,50 @@ +From 19f8047c844c8820f27986e2a98faccaf4fd3663 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Fri, 28 Mar 2025 15:59:56 +0800 +Subject: [PATCH] bugfix:GetNetworkSettingsJson alloc-dealloc-mismatch + +Signed-off-by: liuxu +--- + src/daemon/entry/cri/cni_network_plugin.cc | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/daemon/entry/cri/cni_network_plugin.cc b/src/daemon/entry/cri/cni_network_plugin.cc +index 17a50667..4b43e9b1 100644 +--- a/src/daemon/entry/cri/cni_network_plugin.cc ++++ b/src/daemon/entry/cri/cni_network_plugin.cc +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include "cri_helpers.h" + #include "cxxutils.h" + #include "utils.h" +@@ -531,7 +532,7 @@ auto CniNetworkPlugin::GetNetworkSettingsJson(const std::string &podSandboxID, c + { + std::string json; + parser_error jerr { nullptr }; +- std::unique_ptr setting_json; ++ __isula_auto_free char *setting_json = nullptr; + + if (result == nullptr) { + ERROR("Invalid input param, no network result to set"); +@@ -557,13 +558,13 @@ auto CniNetworkPlugin::GetNetworkSettingsJson(const std::string &podSandboxID, c + goto out; + } + +- setting_json = std::unique_ptr(container_network_settings_generate_json(network_settings, nullptr, &jerr)); ++ setting_json = container_network_settings_generate_json(network_settings, nullptr, &jerr); + if (setting_json == nullptr) { + err.Errorf("Get network settings json err:%s", jerr); + goto out; + } + +- json = setting_json.get(); ++ json = std::string(setting_json); + + out: + free(jerr); +-- +2.43.0 + diff --git a/0203-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch b/0203-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch new file mode 100644 index 0000000..a96f5e7 --- /dev/null +++ b/0203-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch @@ -0,0 +1,217 @@ +From 1887601e26b4e3dbfdacb66afad145dbbc08d877 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Fri, 28 Mar 2025 16:08:03 +0800 +Subject: [PATCH] bugfix:SandboxAPI heap-buffer-overflow when containers are + created concurrently. + +Signed-off-by: liuxu +--- + .../sandbox/sandboxer/sandboxer_sandbox.cc | 46 +++++++++---------- + .../sandbox/sandboxer/sandboxer_sandbox.h | 8 ++-- + 2 files changed, 26 insertions(+), 28 deletions(-) + +diff --git a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc +index e26b87c8..fc44f94a 100644 +--- a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc ++++ b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc +@@ -73,7 +73,6 @@ auto SandboxerSandbox::ReadSandboxTasksJson() -> sandbox_tasks * + __isula_auto_free parser_error err = nullptr; + sandbox_tasks *tasksArray = nullptr; + +- ReadGuard lock(m_tasksMutex); + tasksArray = sandbox_tasks_parse_file(path.c_str(), nullptr, &err); + if (tasksArray == nullptr) { + WARN("Failed to read %s tasks json: %s", path.c_str(), err); +@@ -86,7 +85,6 @@ auto SandboxerSandbox::WriteSandboxTasksJson(std::string &tasks_json) -> bool + int nret = 0; + const std::string path = GetTasksJsonPath(); + +- WriteGuard lock(m_tasksMutex); + nret = util_atomic_write_file(path.c_str(), tasks_json.c_str(), tasks_json.size(), CONFIG_FILE_MODE, false); + if (nret != 0) { + SYSERROR("Failed to write file %s", path.c_str()); +@@ -99,7 +97,6 @@ auto SandboxerSandbox::DeleteSandboxTasksJson() -> bool + int get_err = 0; + const std::string path = GetTasksJsonPath(); + +- WriteGuard lock(m_tasksMutex); + if (util_fileself_exists(path.c_str()) && + !util_force_remove_file(path.c_str(), &get_err)) { + errno = get_err; +@@ -114,7 +111,6 @@ void SandboxerSandbox::AddSandboxTasksByArray(sandbox_tasks *tasksArray) + { + size_t i; + +- WriteGuard lock(m_tasksMutex); + for (i = 0; i < tasksArray->tasks_len; i++) { + if (!AddTaskById(tasksArray->tasks[i]->task_id, tasksArray->tasks[i])) { + return; +@@ -128,6 +124,8 @@ void SandboxerSandbox::LoadSandboxTasks() + { + sandbox_tasks *tasksArray = nullptr; + ++ std::lock_guard lockGuard(m_tasksMutex); ++ + tasksArray = ReadSandboxTasksJson(); + if (tasksArray == nullptr) { + return; +@@ -164,8 +162,6 @@ auto SandboxerSandbox::AddSandboxTasks(sandbox_task *task) -> bool + return false; + } + +- WriteGuard lock(m_tasksMutex); +- + return AddTaskById(task->task_id, task); + } + +@@ -181,19 +177,8 @@ auto SandboxerSandbox::GetAnySandboxTasks() -> std::string + SYSERROR("Out of memory."); + return std::string(""); + } +- +- ReadGuard lock(m_tasksMutex); ++ + for (auto const& [_, val] : m_tasks) { +- /* +- * We ignore that the processes are modified +- * when we generate tasks json string. +- * Because no matter whether a process is deleted or added, +- * the Update of sandbox api will be called eventually. +- * +- * And we ignore that the task is freed after we do GetTask(). +- * Because the only way to free task is DeleteSandboxTasks() +- * which needs write lock of m_tasksMutex. +- */ + tasksArray.tasks[i] = val->GetTask(); + i++; + } +@@ -218,7 +203,6 @@ void SandboxerSandbox::DeleteSandboxTasks(const char *containerId) + + std::string taskId = std::string(containerId); + +- WriteGuard lock(m_tasksMutex); + auto iter = m_tasks.find(taskId); + if (iter == m_tasks.end()) { + return; +@@ -235,7 +219,6 @@ auto SandboxerSandbox::AddSandboxTasksProcess(const char *containerId, sandbox_p + + std::string taskId = std::string(containerId); + +- ReadGuard lock(m_tasksMutex); + auto iter = m_tasks.find(taskId); + if (iter == m_tasks.end()) { + SYSERROR("Failed to find container %s", containerId); +@@ -253,7 +236,6 @@ void SandboxerSandbox::DeleteSandboxTasksProcess(const char *containerId, const + + std::string taskId = std::string(containerId); + +- ReadGuard lock(m_tasksMutex); + auto iter = m_tasks.find(taskId); + if (iter == m_tasks.end()) { + return; +@@ -481,6 +463,7 @@ auto SandboxerSandbox::PrepareContainer(const char *containerId, const char *bas + sandbox_sandbox *apiSandbox = nullptr; + + INFO("Prepare container for sandbox"); ++ std::lock_guard lockGuard(m_tasksMutex); + + if (nullptr == consoleFifos) { + ERROR("Invlaid parameter: consoleFifos"); +@@ -529,7 +512,7 @@ auto SandboxerSandbox::PrepareContainer(const char *containerId, const char *bas + } + if (!SaveSandboxTasks()) { + ERROR("Failed to Save %s sandbox tasks.", containerId); +- (void)PurgeContainer(containerId); ++ (void)DoPurgeContainer(containerId); + return -1; + } + return 0; +@@ -546,6 +529,7 @@ auto SandboxerSandbox::PrepareExec(const char *containerId, const char *execId, + sandbox_sandbox *apiSandbox = nullptr; + + INFO("Prepare exec for container in sandbox"); ++ std::lock_guard lockGuard(m_tasksMutex); + + if (nullptr == consoleFifos) { + ERROR("Invlaid parameter: consoleFifos"); +@@ -590,7 +574,7 @@ auto SandboxerSandbox::PrepareExec(const char *containerId, const char *execId, + } + if (!SaveSandboxTasks()) { + ERROR("Failed to Save %s sandbox tasks.", containerId); +- (void)PurgeExec(containerId, execId); ++ (void)DoPurgeExec(containerId, execId); + return -1; + } + return 0; +@@ -600,7 +584,7 @@ del_out: + return -1; + } + +-auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int ++auto SandboxerSandbox::DoPurgeContainer(const char *containerId) -> int + { + sandbox_sandbox *apiSandbox = nullptr; + +@@ -630,7 +614,13 @@ auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int + return 0; + } + +-auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> int ++auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int ++{ ++ std::lock_guard lockGuard(m_tasksMutex); ++ return DoPurgeContainer(containerId); ++} ++ ++auto SandboxerSandbox::DoPurgeExec(const char *containerId, const char *execId) -> int + { + sandbox_sandbox *apiSandbox = nullptr; + +@@ -660,4 +650,10 @@ auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> + return 0; + } + ++auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> int ++{ ++ std::lock_guard lockGuard(m_tasksMutex); ++ return DoPurgeExec(containerId, execId); ++} ++ + } +\ No newline at end of file +diff --git a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h +index 37a96cd6..1f3bc186 100644 +--- a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h ++++ b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h +@@ -20,7 +20,6 @@ + #include + #include + +-#include "read_write_lock.h" + #include "sandbox_task.h" + #include "sandbox.h" + +@@ -45,6 +44,9 @@ public: + auto PurgeExec(const char *containerId, const char *execId) -> int override; + + private: ++ auto DoPurgeContainer(const char *containerId) -> int; ++ auto DoPurgeExec(const char *containerId, const char *execId) -> int; ++ + auto GetTasksJsonPath() -> std::string; + auto SaveSandboxTasks() -> bool; + auto AddSandboxTasks(sandbox_task *task) -> bool; +@@ -67,8 +69,8 @@ private: + auto DoSandboxUpdate(sandbox_sandbox *apiSandbox) -> int; + + private: +- // use m_tasksMutex to ensure the correctness of the tasks +- RWMutex m_tasksMutex; ++ // use m_tasksMutex to ensure the correctness of the tasks and task json file when the external interface accesses them. ++ std::mutex m_tasksMutex; + // for sandbox api update, containerId --> tasks + std::map> m_tasks; + }; +-- +2.43.0 + diff --git a/0204-bugfix-remove-lxc-build-in-CI-to-avoid-failed.patch b/0204-bugfix-remove-lxc-build-in-CI-to-avoid-failed.patch new file mode 100644 index 0000000..1247a2d --- /dev/null +++ b/0204-bugfix-remove-lxc-build-in-CI-to-avoid-failed.patch @@ -0,0 +1,45 @@ +From 5e6ce5a4aa6c27dbc7d14150877a75025269c84f Mon Sep 17 00:00:00 2001 +From: wujichao +Date: Tue, 15 Apr 2025 16:41:22 +0800 +Subject: [PATCH] bugfix: remove lxc build in CI to avoid failed + +--- + CI/pr-gateway.sh | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/CI/pr-gateway.sh b/CI/pr-gateway.sh +index 60f99734..bbbcdadf 100755 +--- a/CI/pr-gateway.sh ++++ b/CI/pr-gateway.sh +@@ -33,19 +33,6 @@ pip3 install meson ninja + + cd ~ + +-rm -rf lxc +-git clone https://gitee.com/src-openeuler/lxc.git +-pushd lxc +-rm -rf lxc-5.0.2 +-git config --global --add safe.directory $(pwd)/lxc-5.0.2 +-./apply-patches || exit 1 +-pushd lxc-5.0.2 +-mkdir -p build +-meson setup -Dtests=true -Dprefix=/usr build || exit 1 +-meson install -C build || exit 1 +-popd +-popd +- + ldconfig + rm -rf lcr + git clone https://gitee.com/openeuler/lcr.git +@@ -55,7 +42,7 @@ rm -rf build + mkdir build + pushd build + # disable lcr first +-cmake -DDEBUG=ON -DCMAKE_SKIP_RPATH=TRUE -DENABLE_LIBLCR=OFF ../ || exit 1 ++cmake -DDEBUG=ON -DCMAKE_SKIP_RPATH=TRUE -DENABLE_LIBLCR=OFF -DENABLE_UT=ON ../ || exit 1 + make -j $(nproc) || exit 1 + make install + popd +-- +2.43.0 + diff --git a/0205-when-publish-a-container-port-to-host-you-must-connect-the-contai.patch b/0205-when-publish-a-container-port-to-host-you-must-connect-the-contai.patch new file mode 100644 index 0000000..28b26e1 --- /dev/null +++ b/0205-when-publish-a-container-port-to-host-you-must-connect-the-contai.patch @@ -0,0 +1,68 @@ +From 4adecb00dfef42181ab674bdc7af6bd809469c94 Mon Sep 17 00:00:00 2001 +From: wujichao +Date: Fri, 21 Mar 2025 17:26:47 +0800 +Subject: [PATCH] --publish or -p must be bound to --network or --net. + Signed-off-by: wujichao + +--- + docs/manual/native_network.md | 3 ++- + docs/manual/native_network_zh.md | 4 +++- + src/cmd/isula/base/create.c | 16 ++++++++++++++++ + 3 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/docs/manual/native_network.md b/docs/manual/native_network.md +index 5ff2ab2a..561c78f5 100644 +--- a/docs/manual/native_network.md ++++ b/docs/manual/native_network.md +@@ -291,6 +291,7 @@ Show only network-related parameters. + | - | - | + | --expose | Expose a port or a range of ports | + | --net, --network | Connect a container to a network | +-| -p, --publish | Publish a container's port(s) to host with format `:` | ++| -p, --publish | Publish a container's port(s) to host with format `:`. --publish/-p requires --network/--net to be specified. | + | -P, --publish-all | Publish all exposed ports to random ports | + ++**Note: The --publish/-p parameter is only applicable when the --network/--net parameter is set to the bridge network mode. In other modes like host or none, this parameter will be disregarded, and port mapping as configured will not be realized.** +diff --git a/docs/manual/native_network_zh.md b/docs/manual/native_network_zh.md +index 347e1c90..9b5a5f8c 100644 +--- a/docs/manual/native_network_zh.md ++++ b/docs/manual/native_network_zh.md +@@ -290,5 +290,7 @@ isula run [OPTIONS] ROOTFS|IMAGE [COMMAND] [ARG...] + | - | - | + | --expose | 暴露容器端口 | + | --net, --network | 加入网络 | +-| -p, --publish | 将主机端口映射到容器端口,格式为`:` | ++| -p, --publish | 将主机端口映射到容器端口,格式为`:`. --publish/-p需要指定--network/--net | + | -P, --publish-all | 将所有的exposed端口映射到主机上的随机端口 | ++ ++**注意:当使用 --network/--net 参数将容器加入 bridge 网络时,--publish/-p 参数才会生效并按指定的端口映射规则工作。在其他网络模式下,如 host 或 none 等,--publish/-p 参数将被忽略,无法实现预期的端口映射功能。** +diff --git a/src/cmd/isula/base/create.c b/src/cmd/isula/base/create.c +index 7331676a..6777e00c 100644 +--- a/src/cmd/isula/base/create.c ++++ b/src/cmd/isula/base/create.c +@@ -1495,6 +1495,22 @@ int client_create(struct client_arguments *args) + #ifdef ENABLE_NATIVE_NETWORK + // parse --publish param to custom map + if (args->custom_conf.publish != NULL) { ++ // When network mode type is host, none, or container, --publish/-p is invalid. ++        // Docker prompts for host, intercepts container, and does nothing for none. ++        // We prompt for host and none, and intercept container. ++ if (args->custom_conf.share_ns[NAMESPACE_NET] == NULL) { ++ COMMAND_ERROR("Invalid --publish/-p: --publish/-p requires --network/--net to be specified"); ++ ret = EINVALIDARGS; ++ goto out; ++ } else if (strcmp(args->custom_conf.share_ns[NAMESPACE_NET], SHARE_NAMESPACE_HOST) == 0 ++ || strcmp(args->custom_conf.share_ns[NAMESPACE_NET], SHARE_NAMESPACE_NONE) == 0) { ++ COMMAND_ERROR("WARNING: Published ports are discarded when using host or none network mode"); ++ } else if (strncmp(args->custom_conf.share_ns[NAMESPACE_NET], SHARE_NAMESPACE_PREFIX, strlen(SHARE_NAMESPACE_PREFIX)) == 0) { ++ COMMAND_ERROR("Conflict options: --publish/-p and the container type network mode"); ++ ret = EINVALIDARGS; ++ goto out; ++ } ++ + ret = util_parse_port_specs((const char **)args->custom_conf.publish, &expose_m, &port_binding_m); + if (ret != 0) { + COMMAND_ERROR("Invalid --publish or -p params value"); +-- +2.43.0 + diff --git a/0206-Fix-stray-character-issue.patch b/0206-Fix-stray-character-issue.patch new file mode 100644 index 0000000..0f589a8 --- /dev/null +++ b/0206-Fix-stray-character-issue.patch @@ -0,0 +1,27 @@ +From 327c2df98169a0bb7fe00948568fad67699716f3 Mon Sep 17 00:00:00 2001 +From: wujichao +Date: Mon, 21 Apr 2025 15:14:45 +0800 +Subject: [PATCH] Fix stray character issue + +--- + src/cmd/isula/base/create.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/cmd/isula/base/create.c b/src/cmd/isula/base/create.c +index 6777e00c..2f9814fe 100644 +--- a/src/cmd/isula/base/create.c ++++ b/src/cmd/isula/base/create.c +@@ -1496,8 +1496,8 @@ int client_create(struct client_arguments *args) + // parse --publish param to custom map + if (args->custom_conf.publish != NULL) { + // When network mode type is host, none, or container, --publish/-p is invalid. +-        // Docker prompts for host, intercepts container, and does nothing for none. +-        // We prompt for host and none, and intercept container. ++ // Docker prompts for host, intercepts container, and does nothing for none. ++ // We prompt for host and none, and intercept container. + if (args->custom_conf.share_ns[NAMESPACE_NET] == NULL) { + COMMAND_ERROR("Invalid --publish/-p: --publish/-p requires --network/--net to be specified"); + ret = EINVALIDARGS; +-- +2.43.0 + diff --git a/0207-Code-improvement-resolve-invalid-return-code.patch b/0207-Code-improvement-resolve-invalid-return-code.patch new file mode 100644 index 0000000..15c9c04 --- /dev/null +++ b/0207-Code-improvement-resolve-invalid-return-code.patch @@ -0,0 +1,64 @@ +From 54078642ef05c45557269d69f46b663242f2513a Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Mon, 21 Apr 2025 11:53:06 +0800 +Subject: [PATCH] Code improvement: resolve invalid return code + +Signed-off-by: xuxuepeng +--- + .../modules/image/oci/registry/registry_apiv2.c | 12 +++++++----- + .../layer_store/graphdriver/devmapper/deviceset.c | 2 +- + src/utils/console/console.c | 2 +- + 3 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/daemon/modules/image/oci/registry/registry_apiv2.c b/src/daemon/modules/image/oci/registry/registry_apiv2.c +index 7f33646d..af94b5a0 100644 +--- a/src/daemon/modules/image/oci/registry/registry_apiv2.c ++++ b/src/daemon/modules/image/oci/registry/registry_apiv2.c +@@ -428,11 +428,13 @@ static int registry_request(pull_descriptor *desc, char *path, char **custom_hea + goto out; + } + +- headers = util_str_array_dup((const char **)custom_headers, util_array_len((const char **)custom_headers)); +- if (ret != 0) { +- ERROR("duplicate custom headers failed"); +- ret = -1; +- goto out; ++ if (custom_headers != NULL) { ++ headers = util_str_array_dup((const char **)custom_headers, util_array_len((const char **)custom_headers)); ++ if (headers == NULL) { ++ ERROR("duplicate custom headers failed"); ++ ret = -1; ++ goto out; ++ } + } + + ret = util_array_append(&headers, DOCKER_API_VERSION_HEADER); +diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +index 9489e636..d0b144a5 100644 +--- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c ++++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c +@@ -1654,7 +1654,7 @@ static int cancel_deferred_removal(struct device_set *devset, const char *hash) + continue; + } + ERROR("devmapper: cancel deferred remove for dm:%s failed, err:%s", dm_name, dev_strerror(nret)); +- ret = -1; ++ ret = nret; + } + goto out; + } +diff --git a/src/utils/console/console.c b/src/utils/console/console.c +index 4e674a20..8d318583 100644 +--- a/src/utils/console/console.c ++++ b/src/utils/console/console.c +@@ -510,7 +510,7 @@ int console_loop_io_copy(int sync_fd, const int *srcfds, struct io_write_wrapper + + if (sync_fd >= 0) { + ts[i].sync_fd = sync_fd; +- epoll_loop_add_handler(&descr, ts[i].sync_fd, console_cb_stdio_copy, &ts[i]); ++ ret = epoll_loop_add_handler(&descr, ts[i].sync_fd, console_cb_stdio_copy, &ts[i]); + if (ret) { + ERROR("Add handler for syncfd failed"); + goto err_out; +-- +2.43.0 + diff --git a/0208-bugfix-fix-cdi-hook-name-strcmp-error.patch b/0208-bugfix-fix-cdi-hook-name-strcmp-error.patch new file mode 100644 index 0000000..c4d5218 --- /dev/null +++ b/0208-bugfix-fix-cdi-hook-name-strcmp-error.patch @@ -0,0 +1,32 @@ +From d7689c4f36949d5b315de776a1bb32a4cde04584 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Sun, 27 Apr 2025 16:52:19 +0800 +Subject: [PATCH] bugfix: fix cdi hook name strcmp error + +Signed-off-by: liuxu +--- + .../modules/device/cdi/behavior/cdi_container_edits.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/daemon/modules/device/cdi/behavior/cdi_container_edits.c b/src/daemon/modules/device/cdi/behavior/cdi_container_edits.c +index d146f7e1..38842f3b 100644 +--- a/src/daemon/modules/device/cdi/behavior/cdi_container_edits.c ++++ b/src/daemon/modules/device/cdi/behavior/cdi_container_edits.c +@@ -404,11 +404,11 @@ static int apply_cdi_hooks(cdi_container_edits *e, oci_runtime_spec *spec) + + for (i = 0; i < e->hooks_len; i++) { + defs_hook *oci_hook = cdi_hook_to_oci(e->hooks[i]); +- if (strcmp(e->hooks[i]->hook_name, PRESTART_HOOK)) { ++ if (strcmp(e->hooks[i]->hook_name, PRESTART_HOOK) == 0) { + ret = spec_add_prestart_hook(spec, oci_hook); +- } else if (strcmp(e->hooks[i]->hook_name, POSTSTART_HOOK)) { ++ } else if (strcmp(e->hooks[i]->hook_name, POSTSTART_HOOK) == 0) { + ret = spec_add_poststart_hook(spec, oci_hook); +- } else if (strcmp(e->hooks[i]->hook_name, POSTSTOP_HOOK)) { ++ } else if (strcmp(e->hooks[i]->hook_name, POSTSTOP_HOOK) == 0) { + ret = spec_add_poststop_hook(spec, oci_hook); + } else { + /* +-- +2.43.0 + diff --git a/0209-add-some-sandbox-ut-for-public-func.patch b/0209-add-some-sandbox-ut-for-public-func.patch new file mode 100644 index 0000000..a021869 --- /dev/null +++ b/0209-add-some-sandbox-ut-for-public-func.patch @@ -0,0 +1,47 @@ +From afe2e9b2b65289e3f49f6041bf3ef158490640a0 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Tue, 13 May 2025 17:09:38 +1400 +Subject: [PATCH] add some sandbox ut for public func + +Signed-off-by: zhongtao +--- + test/sandbox/sandbox/sandbox_ut.cc | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/test/sandbox/sandbox/sandbox_ut.cc b/test/sandbox/sandbox/sandbox_ut.cc +index 7534d67a..7a59cfd7 100644 +--- a/test/sandbox/sandbox/sandbox_ut.cc ++++ b/test/sandbox/sandbox/sandbox_ut.cc +@@ -151,4 +151,28 @@ TEST_F(SandboxTest, TestSandboxOpsOnExitFailed) + ASSERT_EQ(sandbox_on_sandbox_exit("12345678", 0), -1); + } + ++TEST_F(SandboxTest, TestFindAvailableVsockPortAndReleaseVsockPort) ++{ ++ uint32_t port1 = 0; ++ uint32_t port2 = 0; ++ ++ std::string id = "23456789"; ++ std::string rootdir = "/test2/rootdir"; ++ std::string statedir = "/test2/statedir"; ++ ++ auto sandbox = std::unique_ptr(new Sandbox(id, rootdir, statedir)); ++ ASSERT_NE(sandbox, nullptr); ++ EXPECT_TRUE(sandbox->FindAvailableVsockPort(port1)); ++ ASSERT_EQ(port1, 2000); ++ EXPECT_TRUE(sandbox->FindAvailableVsockPort(port2)); ++ ASSERT_EQ(port2, 2001); ++ ++ sandbox->ReleaseVsockPort(port1); ++ sandbox->ReleaseVsockPort(port2); ++ ++ port1 = 0; ++ ++ EXPECT_TRUE(sandbox->FindAvailableVsockPort(port1)); ++ ASSERT_EQ(port1, 2000); ++} + } +\ No newline at end of file +-- +2.43.0 + diff --git a/iSulad.spec b/iSulad.spec index b450799..bdeaf5c 100644 --- a/iSulad.spec +++ b/iSulad.spec @@ -1,5 +1,5 @@ %global _version 2.1.5 -%global _release 19 +%global _release 20 %global is_systemd 1 %global enable_criv1 1 %global enable_cdi 1 @@ -222,6 +222,15 @@ Patch0197: 0197-coco-support-confidential-containers.patch Patch0198: 0198-isolate-isula-search-ut-in-registry_images_ut.patch Patch0199: 0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch Patch0200: 0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch +Patch0201: 0201-bugfix-CI-add-lxc-failed.patch +Patch0202: 0202-bugfix-GetNetworkSettingsJson-alloc-dealloc-mismatch.patch +Patch0203: 0203-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch +Patch0204: 0204-bugfix-remove-lxc-build-in-CI-to-avoid-failed.patch +Patch0205: 0205-when-publish-a-container-port-to-host-you-must-connect-the-contai.patch +Patch0206: 0206-Fix-stray-character-issue.patch +Patch0207: 0207-Code-improvement-resolve-invalid-return-code.patch +Patch0208: 0208-bugfix-fix-cdi-hook-name-strcmp-error.patch +Patch0209: 0209-add-some-sandbox-ut-for-public-func.patch %ifarch x86_64 aarch64 Provides: libhttpclient.so()(64bit) @@ -492,6 +501,12 @@ fi %endif %changelog +* Thu May 15 2025 dongyuzhen - 2.1.5-20 +- Type:enhancement +- CVE:NA +- SUG:NA +- DESC:sync patches from upstream + * Mon May 12 2025 dongyuzhen - 2.1.5-19 - Type:enhancement - CVE:NA -- Gitee