diff --git a/patch/0147-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch b/patch/0147-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch new file mode 100644 index 0000000000000000000000000000000000000000..142930ad25046e960a420873b3263cb010037acc --- /dev/null +++ b/patch/0147-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch @@ -0,0 +1,49 @@ +From a5d5191301de25f26942c07ea4502a716755a32e Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Mon, 13 Nov 2023 15:39:21 -0800 +Subject: [PATCH] libct: Destroy: don't proceed in case of errors + +For some reason, container destroy operation removes container's state +directory even if cgroup removal fails (and then still returns an +error). It has been that way since commit 5c246d038fc47b, which added +cgroup removal. + +This is problematic because once the container state dir is removed, we +no longer know container's cgroup and thus can't remove it. + +Let's return the error early and fail if cgroup can't be removed. + +Same for other operations: do not proceed if we fail. + +Signed-off-by: Kir Kolyshkin +--- + libcontainer/state_linux.go | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go +index c77d4f2..dd4dcd4 100644 +--- a/libcontainer/state_linux.go ++++ b/libcontainer/state_linux.go +@@ -44,14 +44,14 @@ func destroy(c *linuxContainer) error { + logrus.Warn(err) + } + } +- err := c.cgroupManager.Destroy() +- if rerr := os.RemoveAll(c.root); err == nil { +- err = rerr ++ if err := c.cgroupManager.Destroy(); err != nil { ++ return fmt.Errorf("unable to remove container's cgroup: %w", err) + } +- c.initProcess = nil +- if herr := runPoststopHooks(c); err == nil { +- err = herr ++ if err := os.RemoveAll(c.root); err != nil { ++ return fmt.Errorf("unable to remove container root dir: %w", err) + } ++ c.initProcess = nil ++ err := runPoststopHooks(c) + c.state = &stoppedState{c: c} + return err + } +-- +2.17.1 diff --git a/runc.spec b/runc.spec index 4635d5c7312604c65c4f08d9d0c4f0419daa559b..0a0a7fb5fb417d0d5ca7e362d2a2f253d530f53e 100644 --- a/runc.spec +++ b/runc.spec @@ -2,7 +2,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 221 +Release: 222 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Fri Dec 8 2023 zhongjiawei - 1.0.0.rc3-222 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:libct: Destroy: don't proceed in case of errors + * Mon Dec 4 2023 zhongjiawei - 1.0.0.rc3-221 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index da38f32139015238d08e85cb3a502ed8eb3ad6e5..07b2e7603a7f52ea8df8c05cb1ef17e4660df9d0 100644 --- a/series.conf +++ b/series.conf @@ -138,3 +138,4 @@ 0144-runc-update-skip-devices.patch 0145-runc-libcontainer-create-Cwd-when-it-does-not-exist.patch 0146-runc-delete-do-not-ignore-error-from-destroy.patch +0147-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch