diff --git a/agent/patches/0019-kata-agent-modify-make-flags.patch b/agent/patches/0019-kata-agent-modify-make-flags.patch new file mode 100644 index 0000000000000000000000000000000000000000..50f88fc5790baac5958a6b2baa2c47ff98b26e20 --- /dev/null +++ b/agent/patches/0019-kata-agent-modify-make-flags.patch @@ -0,0 +1,29 @@ +From 1c7aaafa7b8691ea6ed6c910455567b36bb6f5ff Mon Sep 17 00:00:00 2001 +From: jikui +Date: Thu, 18 Mar 2021 15:25:49 +0800 +Subject: [PATCH] kata-agent: modify make flags + +reason: modify make flags + +Signed-off-by: jikui +--- + Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/Makefile b/Makefile +index e4fd243..26fe898 100644 +--- a/Makefile ++++ b/Makefile +@@ -101,6 +101,9 @@ AGENT_IMAGE := katacontainers/agent-dev + AGENT_TAG := $(if $(COMMIT_NO_SHORT),$(COMMIT_NO_SHORT),dev) + + $(TARGET): $(GENERATED_FILES) $(SOURCES) $(VERSION_FILE) ++ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ ++ CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ + go build $(BUILDFLAGS) -tags "$(BUILDTAGS)" -o $@ \ + -ldflags "-X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)" + +-- +2.25.1 + diff --git a/agent/patches/0020-kata-agent-add-linkmode-to-resolve-build-error.patch b/agent/patches/0020-kata-agent-add-linkmode-to-resolve-build-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..e60ae635fcf6470d1294fd6671e27331f5075b03 --- /dev/null +++ b/agent/patches/0020-kata-agent-add-linkmode-to-resolve-build-error.patch @@ -0,0 +1,37 @@ +From d98995f25c3a839f25590478bef37d2a456593a3 Mon Sep 17 00:00:00 2001 +From: jikui +Date: Mon, 22 Mar 2021 17:07:37 +0800 +Subject: [PATCH] kata-agent: add linkmode to resolve build error + +reason: add linkmode to resolve build error + +Signed-off-by: jikui +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 26fe898..5401c69 100644 +--- a/Makefile ++++ b/Makefile +@@ -16,7 +16,7 @@ INIT := no + TRACE := no + + # Set to "yes“ if binary stripping is needed. +-STRIP := no ++STRIP := yes + + # Tracing cannot currently be supported when running the agent as PID 1 since + # the tracing requires additional services to be started _before_ the agent +@@ -105,7 +105,7 @@ $(TARGET): $(GENERATED_FILES) $(SOURCES) $(VERSION_FILE) + CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ + CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ + go build $(BUILDFLAGS) -tags "$(BUILDTAGS)" -o $@ \ +- -ldflags "-X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)" ++ -ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)" + + install: $(TARGET) + install -D $(TARGET) $(DESTDIR)$(BINDIR)/$(TARGET) +-- +2.25.1 + diff --git a/agent/series.conf b/agent/series.conf index fc5adee738f4fa8d49e7d1c42f416de2580a81a0..0c2b8486c0d990e8bea7abdb5cc523c28638dfed 100644 --- a/agent/series.conf +++ b/agent/series.conf @@ -8,7 +8,6 @@ 0008-agent-support-get-root-bus-path-dynamically.patch 0009-storage-add-pkg-storage-for-mount.patch 0010-storage-mount-nfs-and-gpath-in-agent.patch -0011-agent-fix-agent-reap-agent-process-blocked-problem.patch 0012-network-support-set-dns-without-nameserver.patch 0013-agent-support-setting-multi-queues-of-interface.patch 0014-agent-fix-init-hugepages-failed-problem.patch @@ -16,3 +15,5 @@ 0016-clock-synchronizes-clock-info-with-proxy.patch 0017-agent-add-support-of-new-sandbox-StratoVirt.patch 0018-kata-agent-update-nic-in-guest.patch +0019-kata-agent-modify-make-flags.patch +0020-kata-agent-add-linkmode-to-resolve-build-error.patch diff --git a/kata-containers.spec b/kata-containers.spec index 40d51ed25058cab399f6dcf39f58166f322b2c3e..af3ea08f23db6fb9cb43c9d24b97f0080431dbee 100644 --- a/kata-containers.spec +++ b/kata-containers.spec @@ -1,8 +1,8 @@ #needsrootforbuild %global debug_package %{nil} -%define VERSION v1.11.1 -%define RELEASE 12 +%define VERSION 1.11.1 +%define RELEASE 24 Name: kata-containers Version: %{VERSION} @@ -11,7 +11,7 @@ Summary: Kata Container, the speed of containers, the security of VMs License: ISC and Apache-2.0 and GPL-2.0-or-later and CC-BY-SA-4.0 and MIT and MPL-2.0 URL: https://github.com/kata-containers Source0: kata_integration-v1.0.0.tar.gz -Source1: kata-containers-%{version}.tar.gz +Source1: kata-containers-v%{version}.tar.gz Source2: kernel.tar.gz BuildRoot: %_topdir/BUILDROOT @@ -60,6 +60,12 @@ make runtime make proxy make shim make initrd +cp -f ./runtime/containerd-shim-kata-v2 ./build/ +%ifarch %{ix86} x86_64 +sed -i 's/^hypervisor_params.*$/hypervisor_params = \"\"/' ./runtime/cli/config/configuration-qemu.toml +%else +sed -i 's/^hypervisor_params.*$/hypervisor_params = \"kvm-pit.lost_tick_policy=discard pcie-root-port.x-speed=16 pcie-root-port.x-width=32\"/' ./runtime/cli/config/configuration-qemu.toml +%endif %install mkdir -p -m 755 %{buildroot}/var/lib/kata @@ -71,7 +77,8 @@ install -p -m 755 -D %{_builddir}/kernel/linux/arch/arm64/boot/Image %{buildroot cd %{_builddir}/kata_integration mkdir -p -m 750 %{buildroot}/usr/bin -install -p -m 750 ./build/kata-runtime ./build/kata-proxy ./build/kata-shim ./build/kata-netmon %{buildroot}/usr/bin/ +strip ./build/kata-runtime ./build/kata-proxy ./build/kata-shim ./build/kata-netmon ./build/containerd-shim-kata-v2 +install -p -m 750 ./build/kata-runtime ./build/kata-proxy ./build/kata-shim ./build/kata-netmon ./build/containerd-shim-kata-v2 %{buildroot}/usr/bin/ install -p -m 640 ./build/kata-containers-initrd.img %{buildroot}/var/lib/kata/ mkdir -p -m 750 %{buildroot}/usr/share/defaults/kata-containers/ install -p -m 640 -D ./runtime/cli/config/configuration-qemu.toml %{buildroot}/usr/share/defaults/kata-containers/configuration.toml @@ -83,24 +90,99 @@ install -p -m 640 -D ./runtime/cli/config/configuration-qemu.toml %{buildroot}/u /usr/bin/kata-proxy /usr/bin/kata-shim /usr/bin/kata-netmon +/usr/bin/containerd-shim-kata-v2 /var/lib/kata/kernel /var/lib/kata/kata-containers-initrd.img %config(noreplace) /usr/share/defaults/kata-containers/configuration.toml %doc - %changelog -* Tue May 17 2022 liukuo - v1.11.1-12 -- License compliance rectification +* Sat Sep 3 2022 liukuo - 1.11.1-24 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:License compliance rectification + +* Thu Mar 3 2022 yangfeiyu - 1.11.1-23 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:modify runtime build flags + +* Mon Feb 28 2022 yangfeiyu - 1.11.1-22 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:use host_device drive when call blockdev-add + +* Fri Feb 25 2022 yangfeiyu - 1.11.1-21 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:modify hypervisor parameters in config file + +* Mon Feb 21 2022 yangfeiyu - 1.11.1-20 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:check file size before add nic -* Wed Apr 13 2022 yangfeiyu - 1.11.1-11 +* Fri Jan 7 2022 yangfeiyu - 1.11.1-19 - Type:bugfix - ID:NA - SUG:NA -- DESC:add export GO111MODULE=off +- DESC:set GO111MODULE off for go version 1.17.3 + +* Tue Nov 30 2021 yangfeiyu - 1.11.1-18 +- Type:feature +- ID:NA +- SUG:NA +- DESC:bump version to 18 + +* Wed Jun 16 2021 gaohuatao - 1.11.1-17 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:move timeout of waitProcess to stop process + +* Thu Jun 3 2021 gaohuatao - 1.11.1-16 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:put timeout to client of wait rpc to support shimv2 + +* Wed May 12 2021 gaohuatao - 1.11.1-15 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:shimv2 write exit code in integer byte order + +* Wed Apr 28 2021 gaohuatao - 1.11.1-14 +- Type:feature +- ID:NA +- SUG:NA +- DESC:kata shimv2 adapt iSulad + +* Tue Mar 23 2021 jikui - 1.11.1-13 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:remove ctty to resolve build failed + +* Mon Mar 22 2021 jikui - 1.11.1-12 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:add linkmode to resolve build error + +* Wed Mar 17 2021 jikui - 1.11.1-11 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:modify make flags -* Fri Feb 19 2021 xinghe - 1.11.1-10 +* Tue Feb 23 2021 xinghe - 1.11.1-10 - Type:CVE - ID:NA - SUG:NA diff --git a/proxy/patches/0002-kata-proxy-modify-make-flags.patch b/proxy/patches/0002-kata-proxy-modify-make-flags.patch new file mode 100644 index 0000000000000000000000000000000000000000..b164997e5e865a719cc8e2c6c3b225ffd464f74e --- /dev/null +++ b/proxy/patches/0002-kata-proxy-modify-make-flags.patch @@ -0,0 +1,29 @@ +From 2c5cbf2ca9624d5443ad334a8337cb58d57573b2 Mon Sep 17 00:00:00 2001 +From: jikui +Date: Thu, 18 Mar 2021 15:34:07 +0800 +Subject: [PATCH] kata-proxy: modify make flags + +reason: modify make flags + +Signed-off-by: jikui +--- + Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/Makefile b/Makefile +index a1b3eee..07e9ba8 100644 +--- a/Makefile ++++ b/Makefile +@@ -33,6 +33,9 @@ ifeq ($(STRIP),yes) + endif + + $(TARGET): $(SOURCES) $(VERSION_FILE) ++ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ ++ CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ + go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)" + + test: +-- +2.25.1 + diff --git a/proxy/patches/0003-kata-proxy-add-linkmode-to-resolve-build-error.patch b/proxy/patches/0003-kata-proxy-add-linkmode-to-resolve-build-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..b3b840ea1dc1152e1a04c81cc26d352e9b260fd2 --- /dev/null +++ b/proxy/patches/0003-kata-proxy-add-linkmode-to-resolve-build-error.patch @@ -0,0 +1,37 @@ +From 5c4d7bcbef7d213009f1c63acf53319e230e06e2 Mon Sep 17 00:00:00 2001 +From: jikui +Date: Mon, 22 Mar 2021 17:11:48 +0800 +Subject: [PATCH] kata-proxy: add linkmode to resolve build error + +reason: add linkmode to resolve build error + +Signed-off-by: jikui +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 07e9ba8..b931dd3 100644 +--- a/Makefile ++++ b/Makefile +@@ -5,7 +5,7 @@ + # + + # Set to "yes“ if binary stripping is needed. +-STRIP := no ++STRIP := yes + + DESTDIR := + ifeq ($(PREFIX),) +@@ -36,7 +36,7 @@ $(TARGET): $(SOURCES) $(VERSION_FILE) + CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ + CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ + CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ +- go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)" ++ go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)" + + test: + bash .ci/go-test.sh +-- +2.25.1 + diff --git a/proxy/series.conf b/proxy/series.conf index 1f29a6e09e095aac06ef3e23e53d3014353300ac..669d8caacb8579544d83c2fdcbb7bc5b1ac3d368 100644 --- a/proxy/series.conf +++ b/proxy/series.conf @@ -1 +1,3 @@ 0001-clock-synchronizes-clock-info-to-agent.patch +0002-kata-proxy-modify-make-flags.patch +0003-kata-proxy-add-linkmode-to-resolve-build-error.patch diff --git a/runtime/kata-runtime.spec b/runtime/kata-runtime.spec index acef8cec73cc30f515df2bc6c5da4fe2f90df62f..d8d9026e22182f408a7a3f3201575122911c0c96 100644 --- a/runtime/kata-runtime.spec +++ b/runtime/kata-runtime.spec @@ -1,7 +1,7 @@ %define debug_package %{nil} %define VERSION 1.11.1 -%define RELEASE 11 +%define RELEASE 15 Name: kata-runtime Version: %{VERSION} @@ -87,6 +87,7 @@ cd %{_builddir}/%{name}-%{version} mkdir -p -m 750 %{buildroot}/usr/bin install -p -m 750 ./kata-runtime %{buildroot}/usr/bin install -p -m 750 ./kata-netmon %{buildroot}/usr/bin +install -p -m 750 ./containerd-shim-kata-v2 %{buildroot}/usr/bin mkdir -p -m 750 %{buildroot}/usr/share/defaults/kata-containers install -p -m 640 ./cli/config/configuration-qemu.toml %{buildroot}/usr/share/defaults/kata-containers/configuration.toml @@ -95,9 +96,34 @@ install -p -m 640 ./cli/config/configuration-qemu.toml %{buildroot}/usr/share/de %files /usr/bin/kata-runtime /usr/bin/kata-netmon +/usr/bin/containerd-shim-kata-v2 /usr/share/defaults/kata-containers/configuration.toml %changelog +* Wed June 16 2021 gaohuatao - 1.11.1-15 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: move timeout of waitProcess to stop process + +* Thu June 3 2021 gaohuatao - 1.11.1-14 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:put timeout to client of wait rpc to support shimv2 + +* Wed May 12 2021 gaohuatao - 1.11.1-13 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:shimv2 write exit code in integer byte order + +* Wed Apr 28 2021 gaohuatao - 1.11.1-12 +- Type:feature +- ID:NA +- SUG:NA +- DESC:support kata shimv2 used by iSulad and containerd + * Tue Nov 17 2020 yangfeiyu - 1.11.1-11 - Type:bugfix - ID:NA diff --git a/runtime/patches/0068-kata-runtime-modify-make-flags.patch b/runtime/patches/0068-kata-runtime-modify-make-flags.patch new file mode 100644 index 0000000000000000000000000000000000000000..32e13bc87106644619b5c3107f99d7d6c5fd123c --- /dev/null +++ b/runtime/patches/0068-kata-runtime-modify-make-flags.patch @@ -0,0 +1,45 @@ +From 883dac2d9cd4daea88a9ac0325df02d1de578168 Mon Sep 17 00:00:00 2001 +From: jikui +Date: Thu, 18 Mar 2021 15:48:11 +0800 +Subject: [PATCH] kata-runtime: modify make flags + +reason: modify make flags + +Signed-off-by: jikui +--- + Makefile | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index b62e64b..6b9f764 100644 +--- a/Makefile ++++ b/Makefile +@@ -521,7 +521,11 @@ containerd-shim-v2: $(SHIMV2_OUTPUT) + netmon: $(NETMON_TARGET_OUTPUT) + + $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION +- $(QUIET_BUILD)(cd $(NETMON_DIR) && go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS)) ++ $(QUIET_BUILD)(cd $(NETMON_DIR) && \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ ++ CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ ++ go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS)) + + runtime: $(TARGET_OUTPUT) $(CONFIGS) + .DEFAULT: default +@@ -559,7 +563,11 @@ GENERATED_FILES += $(CLI_DIR)/config-generated.go + GENERATED_FILES += pkg/katautils/config-settings.go + + $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary +- $(QUIET_BUILD)(cd $(CLI_DIR) && go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .) ++ $(QUIET_BUILD)(cd $(CLI_DIR) && \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ ++ CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ ++ go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .) + + $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) + $(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) -i -o $@ .) +-- +2.25.1 + diff --git a/runtime/patches/0069-kata-runtime-add-linkmode-to-resolve-build-error.patch b/runtime/patches/0069-kata-runtime-add-linkmode-to-resolve-build-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..b75ef97eae336222eaa6cefe730a813f4059c4a5 --- /dev/null +++ b/runtime/patches/0069-kata-runtime-add-linkmode-to-resolve-build-error.patch @@ -0,0 +1,48 @@ +From 22678612f668274ab0b37175517401039e17ff00 Mon Sep 17 00:00:00 2001 +From: jikui +Date: Mon, 22 Mar 2021 17:18:14 +0800 +Subject: [PATCH] kata-runtime: add linkmode to resolve build error + +reason: add linkmode to resolve build error + +Signed-off-by: jikui +--- + Makefile | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/Makefile b/Makefile +index 6b9f764..f7a9311 100644 +--- a/Makefile ++++ b/Makefile +@@ -490,8 +490,9 @@ endif + BUILDFLAGS := -buildmode=pie ${BUILDTAGS} + + # whether stipping the binary ++STRIP=yes + ifeq ($(STRIP),yes) +- KATA_LDFLAGS := -ldflags "-w -s" ++ KATA_LDFLAGS := -ldflags "-w -s" + endif + + # Return non-empty string if specified directory exists +@@ -525,7 +526,7 @@ $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION + CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ + CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ + CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ +- go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS)) ++ go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION) -w -s") + + runtime: $(TARGET_OUTPUT) $(CONFIGS) + .DEFAULT: default +@@ -567,7 +568,7 @@ $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary + CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ + CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ + CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ +- go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .) ++ go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external" .) + + $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) + $(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) -i -o $@ .) +-- +2.25.1 + diff --git a/runtime/patches/0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch b/runtime/patches/0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch new file mode 100644 index 0000000000000000000000000000000000000000..6463fc368b143caae3010327d75985adb042291d --- /dev/null +++ b/runtime/patches/0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch @@ -0,0 +1,29 @@ +From 6d684a77e027e8103345cab768860533705d5ce4 Mon Sep 17 00:00:00 2001 +From: jikui +Date: Tue, 23 Mar 2021 17:17:00 +0800 +Subject: [PATCH] kata-runtime: remove ctty to resolve build failed + +reason: remove ctty to resolve build failed + +Signed-off-by: jikui +--- + virtcontainers/shim.go | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/virtcontainers/shim.go b/virtcontainers/shim.go +index b192b25..08097f0 100644 +--- a/virtcontainers/shim.go ++++ b/virtcontainers/shim.go +@@ -219,9 +219,6 @@ func startShim(args []string, params ShimParams) (int, error) { + cmd.Stderr = f + // Create Session + cmd.SysProcAttr.Setsid = true +- // Set Controlling terminal to Ctty +- cmd.SysProcAttr.Setctty = true +- cmd.SysProcAttr.Ctty = int(f.Fd()) + } + defer func() { + if f != nil { +-- +2.25.1 + diff --git a/runtime/patches/0071-fix-containerd-shim-kata-v2-compile-bug.patch b/runtime/patches/0071-fix-containerd-shim-kata-v2-compile-bug.patch new file mode 100644 index 0000000000000000000000000000000000000000..c5c221059e3594b222ba55c9ff0b15717186e352 --- /dev/null +++ b/runtime/patches/0071-fix-containerd-shim-kata-v2-compile-bug.patch @@ -0,0 +1,32 @@ +From c9737d7702e4042bcc433da720611ebac06f6f6d Mon Sep 17 00:00:00 2001 +From: gaohuatao +Date: Wed, 28 Apr 2021 15:04:02 +0800 +Subject: [PATCH 1/2] fix containerd shim kata v2 compile bug + +reason: fix containerd shim kata v2 compile bug + +Signed-off-by: gaohuatao +--- + containerd-shim-v2/metrics.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/containerd-shim-v2/metrics.go b/containerd-shim-v2/metrics.go +index c936966..d59530f 100644 +--- a/containerd-shim-v2/metrics.go ++++ b/containerd-shim-v2/metrics.go +@@ -172,9 +172,9 @@ func copyBlkio(s []vc.BlkioStatEntry) []*cgroups.BlkIOEntry { + return ret + } + +-func setNetworkStats(vcNetwork []*vc.NetworkStats) []*cgroups.NetworkStat { +- networkStats := make([]*cgroups.NetworkStat, len(vcNetwork)) +- for i, v := range vcNetwork { ++func setNetworkStats(vcNetwork *vc.NetworkStats) []*cgroups.NetworkStat { ++ networkStats := make([]*cgroups.NetworkStat, len(vcNetwork.Interfaces)) ++ for i, v := range vcNetwork.Interfaces { + networkStats[i] = &cgroups.NetworkStat{ + Name: v.Name, + RxBytes: v.RxBytes, +-- +2.20.1 + diff --git a/runtime/patches/0072-kata-shimv2-adapt-iSulad-and-open-build-flag.patch b/runtime/patches/0072-kata-shimv2-adapt-iSulad-and-open-build-flag.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c8515730b183778d756f16c41a9e184b90501ac --- /dev/null +++ b/runtime/patches/0072-kata-shimv2-adapt-iSulad-and-open-build-flag.patch @@ -0,0 +1,197 @@ +From 488ebd1f148bc9ddda9376a065d38cbc9bb9a0fe Mon Sep 17 00:00:00 2001 +From: gaohuatao +Date: Wed, 28 Apr 2021 15:31:30 +0800 +Subject: [PATCH] kata shimv2 adapt iSulad and open build flag + +Signed-off-by: gaohuatao +--- + Makefile | 2 +- + containerd-shim-v2/container.go | 9 +++++ + containerd-shim-v2/service.go | 38 +++++++++++++++++++ + containerd-shim-v2/start.go | 10 +++++ + .../containerd/runtime/v2/shim/shim.go | 9 ++++- + 5 files changed, 65 insertions(+), 3 deletions(-) + +diff --git a/Makefile b/Makefile +index f7a9311..9957db9 100644 +--- a/Makefile ++++ b/Makefile +@@ -505,7 +505,7 @@ define SHOW_ARCH + $(shell printf "\\t%s%s\\\n" "$(1)" $(if $(filter $(ARCH),$(1))," (default)","")) + endef + +-all: runtime netmon ++all: runtime containerd-shim-v2 netmon + + # Targets that depend on .git-commit can use $(shell cat .git-commit) to get a + # git revision string. They will only be rebuilt if the revision string +diff --git a/containerd-shim-v2/container.go b/containerd-shim-v2/container.go +index 6b5e994..fa7f15b 100644 +--- a/containerd-shim-v2/container.go ++++ b/containerd-shim-v2/container.go +@@ -6,10 +6,13 @@ + package containerdshim + + import ( ++ "os" ++ "path" + "time" + + "github.com/containerd/containerd/api/types/task" + "github.com/containerd/containerd/errdefs" ++ cdshim "github.com/containerd/containerd/runtime/v2/shim" + taskAPI "github.com/containerd/containerd/runtime/v2/task" + "github.com/opencontainers/runtime-spec/specs-go" + +@@ -34,6 +37,8 @@ type container struct { + status task.Status + terminal bool + mounted bool ++ exitFifo string ++ exitFd *os.File + } + + func newContainer(s *service, r *taskAPI.CreateTaskRequest, containerType vc.ContainerType, spec *specs.Spec, mounted bool) (*container, error) { +@@ -46,6 +51,9 @@ func newContainer(s *service, r *taskAPI.CreateTaskRequest, containerType vc.Con + spec = &specs.Spec{} + } + ++ dir := os.Getenv(cdshim.ExitFifoDir) ++ exitFifo := path.Join(dir, r.ID, exitFifoName) ++ + c := &container{ + s: s, + spec: spec, +@@ -61,6 +69,7 @@ func newContainer(s *service, r *taskAPI.CreateTaskRequest, containerType vc.Con + exitIOch: make(chan struct{}), + exitCh: make(chan uint32, 1), + mounted: mounted, ++ exitFifo: exitFifo, + } + return c, nil + } +diff --git a/containerd-shim-v2/service.go b/containerd-shim-v2/service.go +index 8e9b949..c85eb24 100644 +--- a/containerd-shim-v2/service.go ++++ b/containerd-shim-v2/service.go +@@ -10,6 +10,7 @@ import ( + "io/ioutil" + "os" + sysexec "os/exec" ++ "strconv" + "sync" + "syscall" + "time" +@@ -48,6 +49,8 @@ const ( + // A time span used to wait for publish a containerd event, + // once it costs a longer time than timeOut, it will be canceld. + timeOut = 5 * time.Second ++ ++ exitFifoName = "exit_fifo" + ) + + var ( +@@ -883,7 +886,42 @@ func (s *service) Wait(ctx context.Context, r *taskAPI.WaitRequest) (_ *taskAPI. + func (s *service) processExits() { + for e := range s.ec { + s.checkProcesses(e) ++ ++ if os.Getenv(cdshim.ExitFifoDir) != "" { ++ s.closeExitFifo(e) ++ } ++ } ++} ++ ++func (s *service) closeExitFifo(e exit) { ++ if e.execid != "" { ++ // not a container, no need to close exit fifo ++ return + } ++ ++ var ret uint32 ++ ++ s.mu.Lock() ++ c, err := s.getContainer(e.id) ++ s.mu.Unlock() ++ ++ if err != nil { ++ logrus.WithError(err).Errorf("Process container:%v exit fifo failed", e.id) ++ return ++ } ++ ++ ret = <-c.exitCh ++ // refill the exitCh with the container process's exit code in case ++ // there were other waits on this process. ++ c.exitCh <- ret ++ exitStr := strconv.FormatUint(uint64(ret), 10) ++ ++ _, err = c.exitFd.Write([]byte(exitStr)) ++ if err != nil { ++ logrus.WithError(err).Error("write exit fifo failed") ++ } ++ ++ c.exitFd.Close() + } + + func (s *service) checkProcesses(e exit) { +diff --git a/containerd-shim-v2/start.go b/containerd-shim-v2/start.go +index 173ca7c..bb3ce1d 100644 +--- a/containerd-shim-v2/start.go ++++ b/containerd-shim-v2/start.go +@@ -8,8 +8,11 @@ package containerdshim + import ( + "context" + "fmt" ++ "golang.org/x/sys/unix" ++ "os" + + "github.com/containerd/containerd/api/types/task" ++ cdshim "github.com/containerd/containerd/runtime/v2/shim" + "github.com/kata-containers/runtime/pkg/katautils" + ) + +@@ -53,6 +56,13 @@ func startContainer(ctx context.Context, s *service, c *container) error { + + c.status = task.StatusRunning + ++ if os.Getenv(cdshim.ExitFifoDir) != "" { ++ c.exitFd, err = os.OpenFile(c.exitFifo, unix.O_WRONLY|unix.O_NONBLOCK|unix.O_CLOEXEC, 0) ++ if err != nil { ++ return err ++ } ++ } ++ + stdin, stdout, stderr, err := s.sandbox.IOStream(c.id, c.id) + if err != nil { + return err +diff --git a/vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go b/vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go +index d60d496..8bccfef 100644 +--- a/vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go ++++ b/vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go +@@ -84,6 +84,8 @@ var ( + action string + ) + ++var ExitFifoDir = "EXIT_FIFO_DIR" ++ + func parseFlags() { + flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs") + flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim") +@@ -198,9 +200,12 @@ func run(id string, initFunc Init, config Config) error { + } + return nil + default: +- if err := setLogger(ctx, idFlag); err != nil { +- return err ++ if os.Getenv("EXIT_FIFO_DIR") == "" { ++ if err := setLogger(ctx, idFlag); err != nil { ++ return err ++ } + } ++ + client := NewShimClient(ctx, service, signals) + return client.Serve() + } +-- +2.20.1 + diff --git a/runtime/patches/0073-write-exit-code-in-integer-byte-order.patch b/runtime/patches/0073-write-exit-code-in-integer-byte-order.patch new file mode 100644 index 0000000000000000000000000000000000000000..2667cbffd92267bbf5a9919ee6e75b1ece9305ed --- /dev/null +++ b/runtime/patches/0073-write-exit-code-in-integer-byte-order.patch @@ -0,0 +1,78 @@ +From 3282a8bb49fff14b1eb9742544803255bfa82a82 Mon Sep 17 00:00:00 2001 +From: gaohuatao +Date: Wed, 12 May 2021 17:17:41 +0800 +Subject: [PATCH] write exit code in integer byte order + +reason: write exit code in integer byte order just to adapt iSulad + +Signed-off-by: gaohuatao +--- + containerd-shim-v2/service.go | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/containerd-shim-v2/service.go b/containerd-shim-v2/service.go +index c85eb24..9c40f43 100644 +--- a/containerd-shim-v2/service.go ++++ b/containerd-shim-v2/service.go +@@ -6,14 +6,16 @@ + package containerdshim + + import ( ++ "bytes" + "context" ++ "encoding/binary" + "io/ioutil" + "os" + sysexec "os/exec" +- "strconv" + "sync" + "syscall" + "time" ++ "unsafe" + + eventstypes "github.com/containerd/containerd/api/events" + "github.com/containerd/containerd/api/types/task" +@@ -893,6 +895,12 @@ func (s *service) processExits() { + } + } + ++func isBigEndian() (ret bool) { ++ i := int(0x1) ++ bs := (*[int(unsafe.Sizeof(i))]byte)(unsafe.Pointer(&i)) ++ return bs[0] == 0 ++} ++ + func (s *service) closeExitFifo(e exit) { + if e.execid != "" { + // not a container, no need to close exit fifo +@@ -900,6 +908,7 @@ func (s *service) closeExitFifo(e exit) { + } + + var ret uint32 ++ var nativeEndian binary.ByteOrder + + s.mu.Lock() + c, err := s.getContainer(e.id) +@@ -914,9 +923,17 @@ func (s *service) closeExitFifo(e exit) { + // refill the exitCh with the container process's exit code in case + // there were other waits on this process. + c.exitCh <- ret +- exitStr := strconv.FormatUint(uint64(ret), 10) ++ ++ if isBigEndian() { ++ nativeEndian = binary.BigEndian ++ } else { ++ nativeEndian = binary.LittleEndian ++ } ++ ++ bytesBuffer := bytes.NewBuffer([]byte{}) ++ binary.Write(bytesBuffer, nativeEndian, &ret) + +- _, err = c.exitFd.Write([]byte(exitStr)) ++ _, err = c.exitFd.Write(bytesBuffer.Bytes()) + if err != nil { + logrus.WithError(err).Error("write exit fifo failed") + } +-- +2.20.1 + diff --git a/runtime/patches/0074-add-timeout-for-grpcWaitProcessRequest.patch b/runtime/patches/0074-add-timeout-for-grpcWaitProcessRequest.patch new file mode 100644 index 0000000000000000000000000000000000000000..9900748c43bf80fd6feb47102bab6d45785be0f6 --- /dev/null +++ b/runtime/patches/0074-add-timeout-for-grpcWaitProcessRequest.patch @@ -0,0 +1,37 @@ +From 1972d0ac0236564f0d135cf94baad202126d13c8 Mon Sep 17 00:00:00 2001 +From: gaohuatao +Date: Thu, 3 Jun 2021 16:28:33 +0800 +Subject: [PATCH] add timeout for grpcWaitProcessRequest + +reason: add timeout for grpcWaitProcessRequest, it is only used +in stopping container process + +Signed-off-by: gaohuatao +--- + virtcontainers/kata_agent.go | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/virtcontainers/kata_agent.go b/virtcontainers/kata_agent.go +index 2717e30..058d79e 100644 +--- a/virtcontainers/kata_agent.go ++++ b/virtcontainers/kata_agent.go +@@ -59,6 +59,7 @@ const ( + ) + + var ( ++ waitProcessTimeout = 10 * time.Second + checkRequestTimeout = 10 * time.Second + defaultRequestTimeout = 10 * time.Second + createContainerTimeout = 120 * time.Second +@@ -2154,7 +2155,7 @@ func (k *kataAgent) getReqContext(reqName string) (ctx context.Context, cancel c + ctx = context.Background() + switch reqName { + case grpcWaitProcessRequest: +- // Wait has no timeout ++ ctx, cancel = context.WithTimeout(ctx, waitProcessTimeout) + case grpcCheckRequest: + ctx, cancel = context.WithTimeout(ctx, checkRequestTimeout) + case grpcCreateContainerRequest: +-- +2.20.1 + diff --git a/runtime/patches/0075-move-waitProcess-timeout-to-stop-process.patch b/runtime/patches/0075-move-waitProcess-timeout-to-stop-process.patch new file mode 100644 index 0000000000000000000000000000000000000000..604108f3d8160ac7098738f5c7d195acb3a09ddf --- /dev/null +++ b/runtime/patches/0075-move-waitProcess-timeout-to-stop-process.patch @@ -0,0 +1,83 @@ +From 9568f7f2cad915778396dc8a2743c9c3ed7d44b7 Mon Sep 17 00:00:00 2001 +From: gaohuatao +Date: Wed, 16 Jun 2021 14:54:24 +0800 +Subject: [PATCH] move waitProcess timeout to stop process + +reason: move timeout to stopping container process, it is only used in stopping container process to support shimv2 + +Signed-off-by: gaohuatao +--- + virtcontainers/container.go | 28 +++++++++++++++++++++++----- + virtcontainers/kata_agent.go | 3 +-- + 2 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/virtcontainers/container.go b/virtcontainers/container.go +index 34f6ec6..e976453 100644 +--- a/virtcontainers/container.go ++++ b/virtcontainers/container.go +@@ -51,6 +51,8 @@ var cdromMajors = map[int64]string{ + 32: "CM206_CDROM_MAJOR", + } + ++var waitProcessTimeout = 10 * time.Second ++ + var safeCopyFiles = map[string]struct{}{ + "resolv.conf": {}, + "hostname": {}, +@@ -1174,11 +1176,27 @@ func (c *Container) stop(force bool) error { + c.Logger().Errorf("send signal to container failed: %v", err) + } + +- // Since the agent has supported the MultiWaitProcess, it's better to +- // wait the process here to make sure the process has exited before to +- // issue stopContainer, otherwise the RemoveContainerRequest in it will +- // get failed if the process hasn't exited. +- c.sandbox.agent.waitProcess(c, c.id) ++ done := make(chan error) ++ go func() { ++ // Since the agent has supported the MultiWaitProcess, it's better to ++ // wait the process here to make sure the process has exited before to ++ // issue stopContainer, otherwise the RemoveContainerRequest in it will ++ // get failed if the process hasn't exited. ++ _, err := c.sandbox.agent.waitProcess(c, c.id) ++ if err != nil { ++ done <- err ++ } ++ close(done) ++ }() ++ ++ select { ++ case err := <-done: ++ if err != nil { ++ c.Logger().Errorf("wait process failed:%v", err) ++ } ++ case <-time.After(time.Duration(waitProcessTimeout) * time.Second): ++ // Nothing to do ++ } + + defer func() { + // Save device and drive data. +diff --git a/virtcontainers/kata_agent.go b/virtcontainers/kata_agent.go +index 058d79e..2717e30 100644 +--- a/virtcontainers/kata_agent.go ++++ b/virtcontainers/kata_agent.go +@@ -59,7 +59,6 @@ const ( + ) + + var ( +- waitProcessTimeout = 10 * time.Second + checkRequestTimeout = 10 * time.Second + defaultRequestTimeout = 10 * time.Second + createContainerTimeout = 120 * time.Second +@@ -2155,7 +2154,7 @@ func (k *kataAgent) getReqContext(reqName string) (ctx context.Context, cancel c + ctx = context.Background() + switch reqName { + case grpcWaitProcessRequest: +- ctx, cancel = context.WithTimeout(ctx, waitProcessTimeout) ++ // Wait has no timeout + case grpcCheckRequest: + ctx, cancel = context.WithTimeout(ctx, checkRequestTimeout) + case grpcCreateContainerRequest: +-- +2.20.1 + diff --git a/runtime/patches/0076-kata-containers-check-file-size-before-creating-cont.patch b/runtime/patches/0076-kata-containers-check-file-size-before-creating-cont.patch new file mode 100644 index 0000000000000000000000000000000000000000..03dca413068d4cd93ef007ca87951e1752196367 --- /dev/null +++ b/runtime/patches/0076-kata-containers-check-file-size-before-creating-cont.patch @@ -0,0 +1,91 @@ +From e0fdf20e84cf8c31eab33c562cefd943a6656215 Mon Sep 17 00:00:00 2001 +From: holyfei +Date: Mon, 21 Feb 2022 09:58:04 +0800 +Subject: [PATCH] kata-runtime: check file size before creating container and + doing network operation + +reason: check file size before creating container and doing network operation + +Signed-off-by: holyfei +--- + cli/network.go | 9 +++++++++ + pkg/katautils/config.go | 9 +++++++++ + virtcontainers/utils/utils.go | 3 +++ + 3 files changed, 21 insertions(+) + +diff --git a/cli/network.go b/cli/network.go +index 7dce052..9d3a6dc 100644 +--- a/cli/network.go ++++ b/cli/network.go +@@ -8,11 +8,13 @@ package main + import ( + "context" + "encoding/json" ++ "errors" + "fmt" + "os" + + vcTypes "github.com/kata-containers/runtime/virtcontainers/pkg/types" + "github.com/kata-containers/runtime/virtcontainers/types" ++ "github.com/kata-containers/runtime/virtcontainers/utils" + "github.com/sirupsen/logrus" + "github.com/urfave/cli" + ) +@@ -261,6 +263,13 @@ func networkModifyCommand(ctx context.Context, containerID, input string, opType + if input == "-" { + f = os.Stdin + } else { ++ st, err := os.Lstat(input) ++ if err != nil { ++ return err ++ } ++ if st.Size() > utils.MaxFileSize { ++ return errors.New("network file too big") ++ } + f, err = os.Open(input) + if err != nil { + return err +diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go +index fd7f5eb..b0d8f71 100644 +--- a/pkg/katautils/config.go ++++ b/pkg/katautils/config.go +@@ -10,6 +10,7 @@ import ( + "errors" + "fmt" + "io/ioutil" ++ "os" + "path/filepath" + "strings" + +@@ -1291,6 +1292,14 @@ func decodeConfig(configPath string) (tomlConfig, string, error) { + return tomlConf, "", fmt.Errorf("Cannot find usable config file (%v)", err) + } + ++ st, err := os.Lstat(resolved) ++ if err != nil { ++ return tomlConf, resolved, err ++ } ++ if st.Size() > utils.MaxFileSize { ++ return tomlConf, resolved, errors.New("config file too big") ++ } ++ + configData, err := ioutil.ReadFile(resolved) + if err != nil { + return tomlConf, resolved, err +diff --git a/virtcontainers/utils/utils.go b/virtcontainers/utils/utils.go +index d4dad40..04b6bce 100644 +--- a/virtcontainers/utils/utils.go ++++ b/virtcontainers/utils/utils.go +@@ -41,6 +41,9 @@ const ( + // Max support memory size in the Kata VM + MaxMemorySizeInMB = 512 * 1024 + MaxMemorySizeInByte = MaxMemorySizeInMB << MibToBytesShift ++ ++ // Max file size for config and network json file ++ MaxFileSize = 1 * 1024 * 1024 + ) + + // MaxSocketPathLen is the effective maximum Unix domain socket length. +-- +2.27.0 + diff --git a/runtime/patches/0077-kata-containers-use-host_device-drive-when-call-bloc.patch b/runtime/patches/0077-kata-containers-use-host_device-drive-when-call-bloc.patch new file mode 100644 index 0000000000000000000000000000000000000000..04b649a017dfbc96bb9e1d08c7c0f4174a4d6535 --- /dev/null +++ b/runtime/patches/0077-kata-containers-use-host_device-drive-when-call-bloc.patch @@ -0,0 +1,41 @@ +From 17cb805ec270d069f46e4138fc039d714cb381f1 Mon Sep 17 00:00:00 2001 +From: holyfei +Date: Mon, 28 Feb 2022 10:22:40 +0800 +Subject: [PATCH] kata-containers: use host_device drive when call blockdev-add + +reason: use host_device drive when call blockdev-add + +Signed-off-by: holyfei +--- + vendor/github.com/intel/govmm/qemu/qmp.go | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/vendor/github.com/intel/govmm/qemu/qmp.go b/vendor/github.com/intel/govmm/qemu/qmp.go +index 0cb82ff..1d6d9c6 100644 +--- a/vendor/github.com/intel/govmm/qemu/qmp.go ++++ b/vendor/github.com/intel/govmm/qemu/qmp.go +@@ -781,7 +781,7 @@ func (q *QMP) blockdevAddBaseArgs(device, blockdevID string) (map[string]interfa + blockdevArgs := map[string]interface{}{ + "driver": "raw", + "file": map[string]interface{}{ +- "driver": "file", ++ "driver": "host_device", + "filename": device, + }, + } +@@ -972,9 +972,9 @@ func (q *QMP) ExecuteNetdevAdd(ctx context.Context, netdevType, netdevID, ifname + // Must be valid QMP identifier. + func (q *QMP) ExecuteNetdevChardevAdd(ctx context.Context, netdevType, netdevID, chardev string, vhostforce bool, queues int) error { + args := map[string]interface{}{ +- "type": netdevType, +- "id": netdevID, +- "chardev": chardev, ++ "type": netdevType, ++ "id": netdevID, ++ "chardev": chardev, + "vhostforce": vhostforce, + } + if queues > 1 { +-- +2.27.0 + diff --git a/runtime/patches/0078-kata-runtime-modify-build-flags-for-containerd-kata-.patch b/runtime/patches/0078-kata-runtime-modify-build-flags-for-containerd-kata-.patch new file mode 100644 index 0000000000000000000000000000000000000000..858e4302bab35b055eab545673bf7acdb0b0616b --- /dev/null +++ b/runtime/patches/0078-kata-runtime-modify-build-flags-for-containerd-kata-.patch @@ -0,0 +1,30 @@ +From a6e9215b77ee3e6d912b47dd70c219c0f5547ea2 Mon Sep 17 00:00:00 2001 +From: holyfei +Date: Thu, 3 Mar 2022 14:36:23 +0800 +Subject: [PATCH] kata-runtime: modify build flags for containerd-kata-shimv2 + +Signed-off-by: holyfei +--- + Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 9957db9..b71abbf 100644 +--- a/Makefile ++++ b/Makefile +@@ -571,7 +571,11 @@ $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary + go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external" .) + + $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) +- $(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) -i -o $@ .) ++ $(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ ++ CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ ++ go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external" .) + + .PHONY: \ + check \ +-- +1.8.3.1 + diff --git a/runtime/series.conf b/runtime/series.conf index 462da994e348cbdc0d10b6ed8128e6066507c54a..2514bd9ee00714a8dddb43c152f72ed418c74d5f 100644 --- a/runtime/series.conf +++ b/runtime/series.conf @@ -63,3 +63,16 @@ 0063-kata-runtime-fix-get-sandbox-cpu-resources-problem.patch 0064-runtime-add-support-for-stratovirt-of-kata-check-cli.patch 0065-runtime-fixup-that-the-getPids-function-returns-pid-.patch +0066-CVE-2020-28914-1.patch +0067-CVE-2020-28914-2.patch +0068-kata-runtime-modify-make-flags.patch +0069-kata-runtime-add-linkmode-to-resolve-build-error.patch +0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch +0071-fix-containerd-shim-kata-v2-compile-bug.patch +0072-kata-shimv2-adapt-iSulad-and-open-build-flag.patch +0073-write-exit-code-in-integer-byte-order.patch +0074-add-timeout-for-grpcWaitProcessRequest.patch +0075-move-waitProcess-timeout-to-stop-process.patch +0076-kata-containers-check-file-size-before-creating-cont.patch +0077-kata-containers-use-host_device-drive-when-call-bloc.patch +0078-kata-runtime-modify-build-flags-for-containerd-kata-.patch diff --git a/shim/patches/0002-kata-shim-modify-make-flags.patch b/shim/patches/0002-kata-shim-modify-make-flags.patch new file mode 100644 index 0000000000000000000000000000000000000000..290d3ed0b2f0d44026a382e2736faed9bafa4a28 --- /dev/null +++ b/shim/patches/0002-kata-shim-modify-make-flags.patch @@ -0,0 +1,29 @@ +From 0a4adf4ffafd31820c471353757de2a6e2260e39 Mon Sep 17 00:00:00 2001 +From: jikui +Date: Thu, 18 Mar 2021 15:52:27 +0800 +Subject: [PATCH] kata-shim: modify make flags + +reason: modify make flags + +Signed-off-by: jikui +--- + Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/Makefile b/Makefile +index 5cba637..b244053 100644 +--- a/Makefile ++++ b/Makefile +@@ -33,6 +33,9 @@ ifeq ($(STRIP),yes) + endif + + $(TARGET): $(SOURCES) $(VERSION_FILE) ++ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ ++ CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ + go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)" + + test: +-- +2.25.1 + diff --git a/shim/patches/0003-kata-shim-add-linkmode-to-resolve-build-error.patch b/shim/patches/0003-kata-shim-add-linkmode-to-resolve-build-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a9b95d10e9229688e4ea267f61c331edf16cb2f --- /dev/null +++ b/shim/patches/0003-kata-shim-add-linkmode-to-resolve-build-error.patch @@ -0,0 +1,37 @@ +From 68290317bc35b3420506f0e25d7fccbdb9f88f5f Mon Sep 17 00:00:00 2001 +From: jikui +Date: Mon, 22 Mar 2021 17:21:10 +0800 +Subject: [PATCH] kata-shim: add linkmode to resolve build error + +reason: add linkmode to resolve build error + +Signed-off-by: jikui +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index b244053..70d4a8d 100644 +--- a/Makefile ++++ b/Makefile +@@ -5,7 +5,7 @@ + # + + # Set to "yes“ if binary stripping is needed. +-STRIP := no ++STRIP := yes + + DESTDIR := + ifeq ($(PREFIX),) +@@ -36,7 +36,7 @@ $(TARGET): $(SOURCES) $(VERSION_FILE) + CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ + CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \ + CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ +- go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)" ++ go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)" + + test: + @echo "Go tests using faketty" +-- +2.25.1 + diff --git a/shim/series.conf b/shim/series.conf index ce1ab400e6d85580734751282687de0cbfbb2b41..3508352a344f963d5143b4798e586df04fdadc34 100644 --- a/shim/series.conf +++ b/shim/series.conf @@ -1 +1,3 @@ 0001-kata-shim-fix-kata-shim-process-wait-long-tim.patch +0002-kata-shim-modify-make-flags.patch +0003-kata-shim-add-linkmode-to-resolve-build-error.patch