From 3f923a4f2e18d4520f8794945ff1077fadaa2d8a Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Fri, 8 Dec 2023 16:37:59 +0800 Subject: [PATCH] runc:runc delete don't proceed in case of errors --- ...troy-don-t-proceed-in-case-of-errors.patch | 49 +++++++++++++++++++ runc.spec | 8 ++- series.conf | 1 + 3 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 patch/0154-libct-Destroy-don-t-proceed-in-case-of-errors.patch diff --git a/patch/0154-libct-Destroy-don-t-proceed-in-case-of-errors.patch b/patch/0154-libct-Destroy-don-t-proceed-in-case-of-errors.patch new file mode 100644 index 0000000..142930a --- /dev/null +++ b/patch/0154-libct-Destroy-don-t-proceed-in-case-of-errors.patch @@ -0,0 +1,49 @@ +From a5d5191301de25f26942c07ea4502a716755a32e Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Mon, 13 Nov 2023 15:39:21 -0800 +Subject: [PATCH] libct: Destroy: don't proceed in case of errors + +For some reason, container destroy operation removes container's state +directory even if cgroup removal fails (and then still returns an +error). It has been that way since commit 5c246d038fc47b, which added +cgroup removal. + +This is problematic because once the container state dir is removed, we +no longer know container's cgroup and thus can't remove it. + +Let's return the error early and fail if cgroup can't be removed. + +Same for other operations: do not proceed if we fail. + +Signed-off-by: Kir Kolyshkin +--- + libcontainer/state_linux.go | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go +index c77d4f2..dd4dcd4 100644 +--- a/libcontainer/state_linux.go ++++ b/libcontainer/state_linux.go +@@ -44,14 +44,14 @@ func destroy(c *linuxContainer) error { + logrus.Warn(err) + } + } +- err := c.cgroupManager.Destroy() +- if rerr := os.RemoveAll(c.root); err == nil { +- err = rerr ++ if err := c.cgroupManager.Destroy(); err != nil { ++ return fmt.Errorf("unable to remove container's cgroup: %w", err) + } +- c.initProcess = nil +- if herr := runPoststopHooks(c); err == nil { +- err = herr ++ if err := os.RemoveAll(c.root); err != nil { ++ return fmt.Errorf("unable to remove container root dir: %w", err) + } ++ c.initProcess = nil ++ err := runPoststopHooks(c) + c.state = &stoppedState{c: c} + return err + } +-- +2.17.1 diff --git a/runc.spec b/runc.spec index b5ffe48..c62a062 100644 --- a/runc.spec +++ b/runc.spec @@ -4,7 +4,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 318 +Release: 319 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -57,6 +57,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Fri Dec 8 2023 zhongjiawei - 1.0.0.rc3-319 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:libct: Destroy: don't proceed in case of errors + * Mon Dec 4 2023 zhongjiawei - 1.0.0.rc3-318 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index 889a470..51b36e5 100644 --- a/series.conf +++ b/series.conf @@ -153,4 +153,5 @@ patch/0150-runc-freezer-add-delay-after-freeze.patch patch/0151-runc-fix-update-rt-runtime-us-and-rt-period-us-.patch patch/0152-runc-libcontainer-create-Cwd-when-it-does-not-exist.patch patch/0153-runc-delete-do-not-ignore-error-from-destroy.patch +patch/0154-libct-Destroy-don-t-proceed-in-case-of-errors.patch #end -- Gitee