diff --git a/git-commit b/git-commit index 0ae824605f5181a5283ce1728e6c2a98b618ef73..b356e5fd1358988f3011cc3172ba8401d05ab181 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -ae908e306b8682a184ba191e4a810afe367c607c +f93bc478fbbc54f67e5883f09d3ced9ce5789766 diff --git a/patch/0060-runc-fix-failed-exec-after-systemctl-daemon-reload.patch b/patch/0060-runc-fix-failed-exec-after-systemctl-daemon-reload.patch new file mode 100644 index 0000000000000000000000000000000000000000..7a72d1b57749ade3c754899fbbf3ad68e8524a3b --- /dev/null +++ b/patch/0060-runc-fix-failed-exec-after-systemctl-daemon-reload.patch @@ -0,0 +1,65 @@ +From: xulei +Date: Wed, 25 Dec 2024 11:11:08 +0800 +Subject: [PATCH] runc:Fix failed exec after systemctl daemon-reload + +Reference: https://github.com/opencontainers/runc/pull/3554/files + +--- + libcontainer/cgroups/systemd/common.go | 16 +++++++++------- + tests/integration/dev.bats | 16 ++++++++++++++++ + 2 files changed, 25 insertions(+), 7 deletions(-) + +diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go +index 5a68a3c..45744c1 100644 +--- a/libcontainer/cgroups/systemd/common.go ++++ b/libcontainer/cgroups/systemd/common.go +@@ -288,14 +288,16 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err + case devices.CharDevice: + entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor) + } ++ // systemd will issue a warning if the path we give here doesn't exist. ++ // Since all of this logic is best-effort anyway (we manually set these ++ // rules separately to systemd) we can safely skip entries that don't ++ // have a corresponding path. ++ if _, err := os.Stat(entry.Path); err != nil { ++ logrus.Debugf("skipping device %s for systemd: %s", entry.Path, err) ++ continue ++ } + } +- // systemd will issue a warning if the path we give here doesn't exist. +- // Since all of this logic is best-effort anyway (we manually set these +- // rules separately to systemd) we can safely skip entries that don't +- // have a corresponding path. +- if _, err := os.Stat(entry.Path); err == nil { +- deviceAllowList = append(deviceAllowList, entry) +- } ++ deviceAllowList = append(deviceAllowList, entry) + } + + properties = append(properties, newProp("DeviceAllow", deviceAllowList)) +diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats +index 01f6778..2433157 100644 +--- a/tests/integration/dev.bats ++++ b/tests/integration/dev.bats +@@ -128,3 +128,19 @@ function teardown() { + runc exec test_allow_block sh -c 'fdisk -l '"$device"'' + [ "$status" -eq 0 ] + } ++ ++# https://github.com/opencontainers/runc/issues/3551 ++@test "runc exec vs systemctl daemon-reload" { ++ requires systemd root ++ ++ runc run -d --console-socket "$CONSOLE_SOCKET" test_exec ++ [ "$status" -eq 0 ] ++ ++ runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123" ++ [ "$status" -eq 0 ] ++ ++ systemctl daemon-reload ++ ++ runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123" ++ [ "$status" -eq 0 ] ++} +-- +2.33.0 diff --git a/runc.spec b/runc.spec index c22d8c23383daffb62954d5d1db35e8d28901c50..378c96496591a7f2b3d71ad4e36cb506d09b4189 100644 --- a/runc.spec +++ b/runc.spec @@ -3,7 +3,7 @@ Name: runc Version: 1.1.3 -Release: 31 +Release: 32 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -54,6 +54,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Mon Jan 06 2025 xulei - 1.1.3-32 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:Fix failed exec after systemctl daemon-reload + * Tue Oct 08 2024 jingxiaolu - 1.1.3-31 - Type:bugfix - CVE:NA diff --git a/series.conf b/series.conf index 67c4bba5e76c87c3e79fc2e9ea3dc58282052791..d09698946b51d69c024f80fd8754c02e95fb2a5a 100644 --- a/series.conf +++ b/series.conf @@ -57,3 +57,4 @@ patch/0056-runc-format-log-instead-panic-when-procError-missing.patch patch/0057-rootfs-consolidate-mountpoint-creation-logic.patch patch/0058-rootfs-try-to-scope-MkdirAll-to-stay-inside-the-root.patch patch/0059-runc-fix-can-t-set-cpuset-cpus-and-cpuset-mems-at-th.patch +patch/0060-runc-fix-failed-exec-after-systemctl-daemon-reload.patch