diff --git a/patch/0150-runc-Fix-File-to-Close.patch b/patch/0150-runc-Fix-File-to-Close.patch new file mode 100644 index 0000000000000000000000000000000000000000..a2a1e89a89743f2fa88262854cb119cdaef9ca7b --- /dev/null +++ b/patch/0150-runc-Fix-File-to-Close.patch @@ -0,0 +1,27 @@ +From 329422245586df752a020d3887cb0ee83cab7f59 Mon Sep 17 00:00:00 2001 +From: "hang.jiang" +Date: Fri, 1 Sep 2023 16:17:13 +0800 +Subject: [PATCH 1/4] Fix File to Close + +Reference:https://github.com/opencontainers/runc/commit/937ca107c3d22da77eb8e8030f2342253b980980 + +Signed-off-by: hang.jiang +--- + update.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/update.go b/update.go +index 226a18af..46f79748 100644 +--- a/update.go ++++ b/update.go +@@ -162,6 +162,7 @@ other options are ignored. + if err != nil { + return err + } ++ defer f.Close() + } + err = json.NewDecoder(f).Decode(&r) + if err != nil { +-- +2.33.0 + diff --git a/patch/0151-runc-Fix-tmpfs-mode-opts-when-dir-already-exis.patch b/patch/0151-runc-Fix-tmpfs-mode-opts-when-dir-already-exis.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb73c87ce1514f65cb635f5835fa5a17e0771811 --- /dev/null +++ b/patch/0151-runc-Fix-tmpfs-mode-opts-when-dir-already-exis.patch @@ -0,0 +1,59 @@ +From 6594fe86b84fa69fd44172694d9495b37e5c653a Mon Sep 17 00:00:00 2001 +From: Brian Goff +Date: Thu, 22 Jun 2023 21:35:19 +0000 +Subject: [PATCH 2/4] Fix tmpfs mode opts when dir already exists + +When a directory already exists (or after a container is restarted) the +perms of the directory being mounted to were being used even when a +different permission is set on the tmpfs mount options. + +This prepends the original directory perms to the mount options. +If the perms were already set in the mount opts then those perms will +win. +This eliminates the need to perform a chmod after mount entirely. + +Reference:https://github.com/opencontainers/runc/commit/9fa8b9de3e74c306db186494187fb789f0fdab4d + +Signed-off-by: Brian Goff +--- + libcontainer/rootfs_linux.go | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index f5d9214a..7d52b622 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -231,11 +231,16 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error { + return err + } + m.Destination = dest +- stat, err := os.Stat(dest) +- if err != nil { ++ if stat, err := os.Stat(dest); err != nil { + if err := os.MkdirAll(dest, 0755); err != nil { + return err + } ++ } else { ++ dt := fmt.Sprintf("mode=%04o", stat.Mode()) ++ if m.Data != "" { ++ dt = dt + "," + m.Data ++ } ++ m.Data = dt + } + if copyUp { + tmpDir, err = ioutil.TempDir("/tmp", "runctmpdir") +@@ -264,11 +269,6 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error { + return errMsg + } + } +- if stat != nil { +- if err = os.Chmod(dest, stat.Mode()); err != nil { +- return err +- } +- } + return nil + case "bind": + stat, err := os.Stat(m.Source) +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index 7ab585398e6bd2462b874331ae32a8f4fd042beb..d1ed5610da6b73490fbcaf00a9195eed296549a5 100644 --- a/runc.spec +++ b/runc.spec @@ -2,7 +2,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 224 +Release: 225 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Mon Mar 04 2024 zhongjiawei - 1.0.0.rc3-225 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport some patches + * Mon Feb 5 2024 zhongjiawei - 1.0.0.rc3-224 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index 583fa8a43ae98714fe68aa4c4cb0ebf4d38b7bc9..e3a078c65cba14d3712cd0ed99324ee670ae5a82 100644 --- a/series.conf +++ b/series.conf @@ -141,3 +141,5 @@ 0147-runc-libct-Destroy-don-t-proceed-in-case-of-errors.patch 0148-runc-fix-CVE-2024-21626.patch 0149-runc-check-cmd-exist.patch +0150-runc-Fix-File-to-Close.patch +0151-runc-Fix-tmpfs-mode-opts-when-dir-already-exis.patch