diff --git a/0125-runc-compile-option-compliance.patch b/0125-runc-compile-option-compliance.patch new file mode 100644 index 0000000000000000000000000000000000000000..bd564805399f645a37c0f2d48da85d6f96083de5 --- /dev/null +++ b/0125-runc-compile-option-compliance.patch @@ -0,0 +1,38 @@ +From d7e62b082d564d0ac1e58257f34d25082e58c3cf Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Thu, 18 Mar 2021 11:17:13 +0800 +Subject: [PATCH] runc: compile option compliance + +Signed-off-by: xiadanni +--- + Makefile | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/Makefile b/Makefile +index 43d15bf..fcf34ea 100644 +--- a/Makefile ++++ b/Makefile +@@ -39,10 +39,17 @@ recvtty: contrib/cmd/recvtty/recvtty + contrib/cmd/recvtty/recvtty: $(SOURCES) + go build -i -ldflags " -buildid=IdByIsula ${BEP_FLAG} -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -tags "$(BUILDTAGS)" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty + ++LD_FLAGS='-w -buildid=none -tmpdir=/tmp/bep-runc -linkmode=external -extldflags=-Wl,-z,relro,-z,now \ ++ -X main.gitCommit=${COMMIT} -X main.version=${VERSION}' ++ + static: $(SOURCES) +- mkdir -p ${BEP_DIR} +- CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -buildid=IdByIsula -extldflags -static ${BEP_FLAG} -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o runc . +- CGO_ENABLED=1 go build -i -tags "$(BUILDTAGS) cgo static_build" -ldflags "-w -buildid=IdByIsula -extldflags -static ${BEP_FLAG} -X main.gitCommit=${COMMIT} -X main.version=${VERSION}" -o contrib/cmd/recvtty/recvtty ./contrib/cmd/recvtty ++ rm -rf /tmp/bep-runc && mkdir /tmp/bep-runc ++ CGO_ENABLED=1 \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ ++ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ ++ go build -buildmode=pie -i -tags "$(BUILDTAGS) cgo static_build" -ldflags '-extldflags=-static' -ldflags $(LD_FLAGS) -o runc . + + release: + @flag_list=(seccomp selinux apparmor static); \ +-- +1.8.3.1 + diff --git a/git-commit b/git-commit index e9357639a262b2973ef8baeb593e7a91da7ed3d6..ed1035159c5b8b6ca0887df59abded22d2bcc465 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -b41f69f2326e31c3868ea78abbd046217a43868f +115f07e6a16508a63b98f4f375e285607822b8a8 diff --git a/patch/0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch b/patch/0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch new file mode 100644 index 0000000000000000000000000000000000000000..23466beb9ed35001fa95189a8da494a72ea71cbf --- /dev/null +++ b/patch/0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch @@ -0,0 +1,70 @@ +From 0fe280f25568a5700f9ac388b1434b344e1d1fab Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Mon, 4 Jan 2021 20:00:26 +0800 +Subject: [PATCH] runc: add cpu and memory info when print cgroup info + +Signed-off-by: xiadanni +--- + libcontainer/container_linux.go | 4 ++-- + libcontainer/standard_init_linux.go | 23 +++++++++++++---------- + 2 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index 9b25183..7319286 100644 +--- a/libcontainer/container_linux.go ++++ b/libcontainer/container_linux.go +@@ -310,10 +310,10 @@ func (c *linuxContainer) start(process *Process) error { + return newSystemErrorWithCause(err, "creating new parent process") + } + if err := parent.start(); err != nil { +- printFilesInfo(c.config.Cgroups.Path) ++ printCgroupInfo(c.config.Cgroups.Path) + // terminate the process to ensure that it properly is reaped. + if err := parent.terminate(); err != nil { +- logrus.Warn(err) ++ logrus.Warnf("parent process terminate error: %v", err) + } + return newSystemErrorWithCause(err, "starting container process") + } +diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go +index 96901ef..b985180 100644 +--- a/libcontainer/standard_init_linux.go ++++ b/libcontainer/standard_init_linux.go +@@ -215,21 +215,24 @@ func (l *linuxStandardInit) Init() error { + // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318 + syscall.Close(l.stateDirFD) + if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil { +- printMemoryInfo() +- printFilesInfo("") ++ printCgroupInfo("") + return newSystemErrorWithCause(err, "exec user process") + } + return nil + } + +-func printMemoryInfo() { +- printFileContent("/proc/meminfo") +- printFileContent("/sys/fs/cgroup/memory/memory.stat") +-} +- +-func printFilesInfo(path string) { +- printFileContent(filepath.Join("/sys/fs/cgroup/files", path, "/files.limit")) +- printFileContent(filepath.Join("/sys/fs/cgroup/files", path, "/files.usage")) ++func printCgroupInfo(path string) { ++ infoFileList := []string{ ++ "/proc/meminfo", ++ "/sys/fs/cgroup/memory/memory.stat", ++ filepath.Join("/sys/fs/cgroup/files", path, "/files.limit"), ++ filepath.Join("/sys/fs/cgroup/files", path, "/files.usage"), ++ filepath.Join("/sys/fs/cgroup/memory", path, "/memory.stat"), ++ filepath.Join("/sys/fs/cgroup/cpu", path, "/cpu.stat"), ++ } ++ for _, file := range infoFileList { ++ printFileContent(file) ++ } + } + + func printFileContent(path string) { +-- +1.8.3.1 + diff --git a/patch/0124-runc-fix-freezing-race.patch b/patch/0124-runc-fix-freezing-race.patch new file mode 100644 index 0000000000000000000000000000000000000000..14db2c12ac1dcd4e7d17dcfa9f84a9b58aedb3f0 --- /dev/null +++ b/patch/0124-runc-fix-freezing-race.patch @@ -0,0 +1,69 @@ +From 943822abaa0aee51985384912292589ae1e34622 Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Thu, 4 Feb 2021 16:26:49 +0800 +Subject: [PATCH] runc: fix freezing race + +runc kill blocks in freezer.Set, freezer.state keeps in freezing, +because new process is creating during freeze. + +Upstream:https://github.com/opencontainers/runc/pull/2774 + https://github.com/opencontainers/runc/pull/2791 + +Signed-off-by: xiadanni +--- + libcontainer/cgroups/fs/freezer.go | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/libcontainer/cgroups/fs/freezer.go b/libcontainer/cgroups/fs/freezer.go +index 5ab3c02..40f70c1 100644 +--- a/libcontainer/cgroups/fs/freezer.go ++++ b/libcontainer/cgroups/fs/freezer.go +@@ -3,6 +3,7 @@ + package fs + + import ( ++ "errors" + "fmt" + "strings" + "time" +@@ -28,24 +29,32 @@ func (s *FreezerGroup) Apply(d *cgroupData) error { + + func (s *FreezerGroup) Set(path string, cgroup *configs.Cgroup) error { + switch cgroup.Resources.Freezer { +- case configs.Frozen, configs.Thawed: +- for { ++ case configs.Frozen: ++ for i := 0; i < 1000; i++ { ++ if i%50 == 49 { ++ writeFile(path, "freezer.state", string(configs.Thawed)) ++ time.Sleep(10 * time.Millisecond) ++ } + // In case this loop does not exit because it doesn't get the expected + // state, let's write again this state, hoping it's going to be properly + // set this time. Otherwise, this loop could run infinitely, waiting for + // a state change that would never happen. +- if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil { ++ if err := writeFile(path, "freezer.state", string(configs.Frozen)); err != nil { + return err + } + state, err := readFile(path, "freezer.state") + if err != nil { + return err + } +- if strings.TrimSpace(state) == string(cgroup.Resources.Freezer) { +- break ++ if strings.TrimSpace(state) == string(configs.Frozen) { ++ return nil + } + time.Sleep(1 * time.Millisecond) + } ++ writeFile(path, "freezer.state", string(configs.Thawed)) ++ return errors.New("unable to freeze") ++ case configs.Thawed: ++ return writeFile(path, "freezer.state", string(configs.Thawed)) + case configs.Undefined: + return nil + default: +-- +1.8.3.1 + diff --git a/runc-openeuler.spec b/runc-openeuler.spec index c8386b4ed37111943ab662272c2e58a530300595..5bd8cfe40d829ee1ca7f12a6a8e720220518a78a 100644 --- a/runc-openeuler.spec +++ b/runc-openeuler.spec @@ -1,8 +1,10 @@ +#needsrootforbuild %global _bindir /usr/local/bin +%global debug_package %{nil} Name: docker-runc Version: 1.0.0.rc3 -Release: 110 +Release: 112 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -38,6 +40,7 @@ ln -sf `pwd` .gopath/src/github.com/opencontainers/runc cd .gopath/src/github.com/opencontainers/runc make BUILDTAGS="seccomp selinux" static rm -rf .gopath +strip runc install -d $RPM_BUILD_ROOT/%{_bindir} install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc @@ -49,5 +52,19 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Thu Mar 18 2021 xiadanni - 1.0.0.rc3-112 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:build security option + +* Thu Mar 18 2021 xiadanni - 1.0.0.rc3-111 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:sync bugfix, include + 1. add cpu and memory info when print cgroup info + 2. fix freezing race + * Fri Dec 11 2020 yangyanchao - 1.0.0.rc-110 - add symbol in sys to support riscv diff --git a/series.conf b/series.conf index eb343a93964956b4ca220c6ae8ad439dc1c758e6..7c53b831dbf42f553eb6a207c434614711b91b01 100644 --- a/series.conf +++ b/series.conf @@ -120,3 +120,7 @@ 0120-runc-fix-permission-denied.patch 0121-runc-add-sys-symbol-to-support-riscv.patch 0122-runc-add-riscv-on-existing-files.patch +0121-runc-add-cpu-and-memory-info-when-print-cgroup-info.patch +0124-runc-fix-freezing-race.patch +0125-runc-compile-option-compliance.patch +#end