From ba3d1f2aa6df2aff7d2371edfbebe21713f0cf37 Mon Sep 17 00:00:00 2001 From: Grooooot Date: Thu, 5 Mar 2020 14:20:27 +0800 Subject: [PATCH] runc: sync patches Signed-off-by: Grooooot --- README.en.md | 36 ------------- README.md | 39 -------------- ...xes-1585-config.Namespaces-is-empty-.patch | 50 +++++++++++++++++ ...ite-freezer-state-after-every-state-.patch | 46 ++++++++++++++++ ...y-kill-other-process-when-container-.patch | 43 +++++++++++++++ ...ix-cgroup-hugetlb-size-prefix-for-kB.patch | 54 +++++++++++++++++++ ...check-nil-pointers-in-cgroup-manager.patch | 46 ++++++++++++++++ runc-openeuler.spec | 2 +- series.conf | 5 ++ 9 files changed, 245 insertions(+), 76 deletions(-) delete mode 100644 README.en.md delete mode 100644 README.md create mode 100644 patch/0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch create mode 100644 patch/0113-runc-Write-freezer-state-after-every-state-.patch create mode 100644 patch/0114-runc-may-kill-other-process-when-container-.patch create mode 100644 patch/0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch create mode 100644 patch/0116-runc-check-nil-pointers-in-cgroup-manager.patch diff --git a/README.en.md b/README.en.md deleted file mode 100644 index aae2c0c..0000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# runc - -#### Description -{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index 39fd6c8..0000000 --- a/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# runc - -#### 介绍 -{**以下是码云平台说明,您可以替换此简介** -码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台 -无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)} - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 码云特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目 -5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/patch/0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch b/patch/0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch new file mode 100644 index 0000000..cded071 --- /dev/null +++ b/patch/0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch @@ -0,0 +1,50 @@ +From 38b4e1c3faeb7dfb3001dbd34fb2fe904a642367 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Fri, 13 Dec 2019 03:40:47 +0800 +Subject: [PATCH 1/5] runc: Fixes #1585 config.Namespaces is empty + when accessed + +reason:Fixes #1585 config.Namespaces is empty when accessed + +Change-Id: I734db7320eee233a1b5a3c6f569506b7304e764e +Signed-off-by: xiadanni1 +--- + libcontainer/specconv/spec_linux.go | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go +index 8c4567c..0cbc66f 100644 +--- a/libcontainer/specconv/spec_linux.go ++++ b/libcontainer/specconv/spec_linux.go +@@ -180,13 +180,6 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) { + } + + exists := false +- if config.Namespaces.Contains(configs.NEWNET) && config.Namespaces.PathOf(configs.NEWNET) == "" { +- config.Networks = []*configs.Network{ +- { +- Type: "loopback", +- }, +- } +- } + for _, m := range spec.Mounts { + config.Mounts = append(config.Mounts, createLibcontainerMount(cwd, m)) + } +@@ -217,7 +210,13 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) { + } + config.Namespaces.Add(t, ns.Path) + } +- ++ if config.Namespaces.Contains(configs.NEWNET) && config.Namespaces.PathOf(configs.NEWNET) == "" { ++ config.Networks = []*configs.Network{ ++ { ++ Type: "loopback", ++ }, ++ } ++ } + // set extra path masking for libcontainer for the various unsafe places in proc + config.MaskPaths = spec.Linux.MaskedPaths + config.ReadonlyPaths = spec.Linux.ReadonlyPaths +-- +1.8.3.1 + diff --git a/patch/0113-runc-Write-freezer-state-after-every-state-.patch b/patch/0113-runc-Write-freezer-state-after-every-state-.patch new file mode 100644 index 0000000..52c632f --- /dev/null +++ b/patch/0113-runc-Write-freezer-state-after-every-state-.patch @@ -0,0 +1,46 @@ +From caea676dbff1834f7c22c0ebe20a1d2c8c18b762 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Fri, 13 Dec 2019 06:50:44 +0800 +Subject: [PATCH 2/5] runc:Write freezer state after every state + check + +reason:This commit ensures we write the expected freezer cgroup state +after every state check, in case the state check does not give the expected +result. This can happen when a new task is created and prevents the +whole cgroup to be FROZEN, leaving the state into FREEZING instead. + +This patch prevents the case of an infinite loop to happen. +Fixes https://github.com/opencontainers/runc/issues/1609 + +Change-Id: I8243eba847357715b13fd4e291bee9782ee50360 +Signed-off-by: xiadanni1 +--- + libcontainer/cgroups/fs/freezer.go | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/libcontainer/cgroups/fs/freezer.go b/libcontainer/cgroups/fs/freezer.go +index e70dfe3..5ab3c02 100644 +--- a/libcontainer/cgroups/fs/freezer.go ++++ b/libcontainer/cgroups/fs/freezer.go +@@ -29,11 +29,14 @@ func (s *FreezerGroup) Apply(d *cgroupData) error { + func (s *FreezerGroup) Set(path string, cgroup *configs.Cgroup) error { + switch cgroup.Resources.Freezer { + case configs.Frozen, configs.Thawed: +- if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil { +- return err +- } +- + for { ++ // In case this loop does not exit because it doesn't get the expected ++ // state, let's write again this state, hoping it's going to be properly ++ // set this time. Otherwise, this loop could run infinitely, waiting for ++ // a state change that would never happen. ++ if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil { ++ return err ++ } + state, err := readFile(path, "freezer.state") + if err != nil { + return err +-- +1.8.3.1 + diff --git a/patch/0114-runc-may-kill-other-process-when-container-.patch b/patch/0114-runc-may-kill-other-process-when-container-.patch new file mode 100644 index 0000000..f41b558 --- /dev/null +++ b/patch/0114-runc-may-kill-other-process-when-container-.patch @@ -0,0 +1,43 @@ +From b39f29f48456ae7e9b85ff7584adeb7e68fda460 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Thu, 19 Dec 2019 02:35:01 +0800 +Subject: [PATCH 3/5] runc: may kill other process when container + has been stopped + +reason:may kill other process when container has been stopped + +Change-Id: Iaa1af6f44dec5d7eac3518ff1dbdfedc68eb7219 +Signed-off-by: xiadanni1 +--- + libcontainer/container_linux.go | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index e7c178b..9b25183 100644 +--- a/libcontainer/container_linux.go ++++ b/libcontainer/container_linux.go +@@ -358,10 +358,18 @@ func (c *linuxContainer) Signal(s os.Signal, all bool) error { + if all { + return signalAllProcesses(c.cgroupManager, s) + } +- if err := c.initProcess.signal(s); err != nil { +- return newSystemErrorWithCause(err, "signaling init process") ++ status, err := c.currentStatus() ++ if err != nil { ++ return err + } +- return nil ++ // to avoid a PID reuse attack ++ if status == Running || status == Created { ++ if err := c.initProcess.signal(s); err != nil { ++ return newSystemErrorWithCause(err, "signaling init process") ++ } ++ return nil ++ } ++ return newGenericError(fmt.Errorf("container not running"), ContainerNotRunning) + } + + func (c *linuxContainer) createExecFifo() error { +-- +1.8.3.1 + diff --git a/patch/0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch b/patch/0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch new file mode 100644 index 0000000..56f0730 --- /dev/null +++ b/patch/0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch @@ -0,0 +1,54 @@ +From d46d29ea24d8fb4fc03c739e619d7d241dc5556c Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Thu, 19 Dec 2019 02:37:54 +0800 +Subject: [PATCH 4/5] runc: Fix cgroup hugetlb size prefix for kB + +reason:The hugetlb cgroup control files (introduced here in 2012: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abb8206cb0773) +use "KB" and not "kB" +(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/hugetlb_cgroup.c?h=v5.0#n349). + +The behavior in the kernel has not changed since the introduction, and +the current code using "kB" will therefore fail on devices with small +amounts of ram (see +https://github.com/kubernetes/kubernetes/issues/77169) running a kernel +with config flag CONFIG_HUGETLBFS=y + +As seen from the code in "mem_fmt" inside hugetlb_cgroup.c, only "KB", +"MB" and "GB" are used, so the others may be removed as well. + +Here is a real world example of the files inside the +"/sys/kernel/mm/hugepages/" directory: +- "hugepages-64kB" +- "hugepages-2048kB" +- "hugepages-32768kB" +- "hugepages-1048576kB" + +And the corresponding cgroup files: +- "hugetlb.64KB._____" +- "hugetlb.2MB._____" +- "hugetlb.32MB._____" +- "hugetlb.1GB._____" + +Change-Id: If35e44e4b6846f8ed2870aedb9fed5dd3a38e91f +Signed-off-by: xiadanni1 +--- + libcontainer/cgroups/utils.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libcontainer/cgroups/utils.go b/libcontainer/cgroups/utils.go +index c9411ee..5155e14 100644 +--- a/libcontainer/cgroups/utils.go ++++ b/libcontainer/cgroups/utils.go +@@ -384,7 +384,7 @@ func RemovePaths(paths map[string]string) (err error) { + + func GetHugePageSize() ([]string, error) { + var pageSizes []string +- sizeList := []string{"B", "kB", "MB", "GB", "TB", "PB"} ++ sizeList := []string{"B", "KB", "MB", "GB", "TB", "PB"} + files, err := ioutil.ReadDir("/sys/kernel/mm/hugepages") + if err != nil { + return pageSizes, err +-- +1.8.3.1 + diff --git a/patch/0116-runc-check-nil-pointers-in-cgroup-manager.patch b/patch/0116-runc-check-nil-pointers-in-cgroup-manager.patch new file mode 100644 index 0000000..40ffb1b --- /dev/null +++ b/patch/0116-runc-check-nil-pointers-in-cgroup-manager.patch @@ -0,0 +1,46 @@ +From 1b9ff04a3f6e7bc9b8bce087ccacf894c21adc97 Mon Sep 17 00:00:00 2001 +From: xiadanni1 +Date: Thu, 19 Dec 2019 02:41:08 +0800 +Subject: [PATCH 5/5] runc: check nil pointers in cgroup manager + +reason:check nil pointers in cgroup manager + +Change-Id: I94bda4b4ca4031ee93d54885603e60e64d3683a0 +Signed-off-by: xiadanni1 +--- + libcontainer/cgroups/fs/apply_raw.go | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/libcontainer/cgroups/fs/apply_raw.go b/libcontainer/cgroups/fs/apply_raw.go +index 7677f33..73c733a 100644 +--- a/libcontainer/cgroups/fs/apply_raw.go ++++ b/libcontainer/cgroups/fs/apply_raw.go +@@ -189,9 +189,13 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) { + } + + func (m *Manager) Set(container *configs.Config) error { ++ if container.Cgroups == nil { ++ return nil ++ } ++ + // If Paths are set, then we are just joining cgroups paths + // and there is no need to set any values. +- if m.Cgroups.Paths != nil { ++ if m.Cgroups != nil && m.Cgroups.Paths != nil { + return nil + } + +@@ -214,6 +218,10 @@ func (m *Manager) Set(container *configs.Config) error { + // Freeze toggles the container's freezer cgroup depending on the state + // provided + func (m *Manager) Freeze(state configs.FreezerState) error { ++ if m.Cgroups == nil { ++ return errors.New("cannot toggle freezer: cgroups not configured for container") ++ } ++ + paths := m.GetPaths() + dir := paths["freezer"] + prevState := m.Cgroups.Resources.Freezer +-- +1.8.3.1 + diff --git a/runc-openeuler.spec b/runc-openeuler.spec index c87c57c..306f853 100644 --- a/runc-openeuler.spec +++ b/runc-openeuler.spec @@ -2,7 +2,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 101 +Release: 102 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 diff --git a/series.conf b/series.conf index d891a9c..f5f469a 100644 --- a/series.conf +++ b/series.conf @@ -108,3 +108,8 @@ 0111-runc-add-log-message-for-cgroup-file-check.patch 0112-runc-add-log-message-for-cgroup-file-check.patch 0113-runc-modify-files-cgroup-info-reading-path.patch +0112-runc-Fixes-1585-config.Namespaces-is-empty-.patch +0113-runc-Write-freezer-state-after-every-state-.patch +0114-runc-may-kill-other-process-when-container-.patch +0115-runc-Fix-cgroup-hugetlb-size-prefix-for-kB.patch +0116-runc-check-nil-pointers-in-cgroup-manager.patch -- Gitee