diff --git a/git-commit b/git-commit index 3b1e070d6fbef169e2fa8918b606b2c5bd4780de..1bbe65a116d5dff59fbe5b798bde0afea251c07c 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -32ed6f4eebcde9458c54092c578c7b852b7f79dd +47a4bc111c776c9d4942d021420450e8c89b403e diff --git a/patch/0045-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch b/patch/0045-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch new file mode 100644 index 0000000000000000000000000000000000000000..d02a989dffca2532d7164c99e478072baca595cd --- /dev/null +++ b/patch/0045-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch @@ -0,0 +1,58 @@ +From a5d5191301de25f26942c07ea4502a716755a32e Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Mon, 13 Nov 2023 15:39:21 -0800 +Subject: [PATCH] libct: Destroy: don't proceed in case of errors + +For some reason, container destroy operation removes container's state +directory even if cgroup removal fails (and then still returns an +error). It has been that way since commit 5c246d038fc47b, which added +cgroup removal. + +This is problematic because once the container state dir is removed, we +no longer know container's cgroup and thus can't remove it. + +Let's return the error early and fail if cgroup can't be removed. + +Same for other operations: do not proceed if we fail. + +Signed-off-by: Kir Kolyshkin +--- + libcontainer/state_linux.go | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/libcontainer/state_linux.go b/libcontainer/state_linux.go +index aa6259b..81f1d85 100644 +--- a/libcontainer/state_linux.go ++++ b/libcontainer/state_linux.go +@@ -42,19 +42,20 @@ func destroy(c *linuxContainer) error { + logrus.Warn(err) + } + } +- err := c.cgroupManager.Destroy() ++ if err := c.cgroupManager.Destroy(); err != nil { ++ return fmt.Errorf("unable to remove container's cgroup: %w", err) ++ } + if c.intelRdtManager != nil { +- if ierr := c.intelRdtManager.Destroy(); err == nil { +- err = ierr ++ if err := c.intelRdtManager.Destroy(); err != nil { ++ return fmt.Errorf("unable to remove container's IntelRDT group: %w", err) + } + } +- if rerr := os.RemoveAll(c.root); err == nil { +- err = rerr ++ if err := os.RemoveAll(c.root); err != nil { ++ return fmt.Errorf("unable to remove container state dir: %w", err) + } + c.initProcess = nil +- if herr := runPoststopHooks(c); err == nil { +- err = herr +- } ++ err := runPoststopHooks(c) ++ + c.state = &stoppedState{c: c} + return err + } +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index d153f9c9f705ba930f0c435a4976dbd6a5073870..5bc2ad8e6ec9145b7745e3fc6997edbd30f1bda3 100644 --- a/runc.spec +++ b/runc.spec @@ -3,7 +3,7 @@ Name: docker-runc Version: 1.1.3 -Release: 20 +Release: 21 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Fri Dec 8 2023 zhongjiawei - 1.1.3-21 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:libct: Destroy: don't proceed in case of errors + * Mon Dec 4 2023 zhongjiawei - 1.1.3-20 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index 98d84983b5d174d514256b65351c00d3e60e5450..c1f4a700dc444448c14cabc767d8998b2dd3d51a 100644 --- a/series.conf +++ b/series.conf @@ -42,3 +42,4 @@ patch/0041-runc-libct-init-unify-init-fix-its-error-logic.patch patch/0042-runc-Handle-kmem.limit_in_bytes-removal.patch patch/0043-runc-fix-update-rt-runtime-us-and-rt-period-us-faile.patch patch/0044-runc-delete-do-not-ignore-error-from-destroy.patch +patch/0045-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch