diff --git a/patch/0131-runc-save-state-atomic.patch b/patch/0131-runc-save-state-atomic.patch new file mode 100644 index 0000000000000000000000000000000000000000..b3b1a89ff1c040bb7990712a0e9f07b91bc60249 --- /dev/null +++ b/patch/0131-runc-save-state-atomic.patch @@ -0,0 +1,57 @@ +From 957c155cdf03ef1b3bb53d1e107850924bda2c89 Mon Sep 17 00:00:00 2001 +From: cenhuilin +Date: Fri, 8 Jul 2022 02:00:53 +0000 +Subject: [PATCH] Write state.json atomically +We want to make sure that the state file is syned and cannot be +read partially or truncated. + +Signed-off-by: Mrunal Patel +--- + libcontainer/container_linux.go | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go +index 7be84a6..709a95e 100644 +--- a/libcontainer/container_linux.go ++++ b/libcontainer/container_linux.go +@@ -1385,13 +1385,30 @@ func (c *linuxContainer) updateState(process parentProcess) (*State, error) { + return state, nil + } + +-func (c *linuxContainer) saveState(s *State) error { +- f, err := os.Create(filepath.Join(c.root, stateFilename)) +- if err != nil { +- return err +- } +- defer f.Close() +- return utils.WriteJSON(f, s) ++func (c *linuxContainer) saveState(s *State) (retErr error) { ++ tmpFile, err := ioutil.TempFile(c.root, "state-") ++ if err != nil { ++ return err ++ } ++ ++ defer func() { ++ if retErr != nil { ++ tmpFile.Close() ++ os.Remove(tmpFile.Name()) ++ } ++ }() ++ ++ err = utils.WriteJSON(tmpFile, s) ++ if err != nil { ++ return err ++ } ++ err = tmpFile.Close() ++ if err != nil { ++ return err ++ } ++ ++ stateFilePath := filepath.Join(c.root, stateFilename) ++ return os.Rename(tmpFile.Name(), stateFilePath) + } + + func (c *linuxContainer) deleteState() error { +-- +2.33.0 + diff --git a/runc.spec b/runc.spec index dd8299f1bc22fc3405a0efe62b9f29cfe715301f..b3c36050445d6f960a21e00e17c47852284d615c 100644 --- a/runc.spec +++ b/runc.spec @@ -4,7 +4,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 117 +Release: 118 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -53,6 +53,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Fri Jul 8 2022 cenhuilin - 1.0.0.rc3-118 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix connect container failed when reading partially written state.json content + * Mon Apr 11 2022 fushanqing - 1.0.0.rc3-117 - add macro diff --git a/series.conf b/series.conf index 42771a46ce8a9a81c624743ac0c7e50ac5bf39ae..f279a70a94578738702f85e4cbd8185223fb971b 100644 --- a/series.conf +++ b/series.conf @@ -128,4 +128,5 @@ patch/0127-runc-add-mount-destination-validation-fix-CVE-2021.patch patch/0128-runc-optimize-nsexec-logging.patch patch/0129-runc-improve-log-for-debugging.patch patch/0130-runc-fix-cgroup-info-print-error.patch +patch/0131-runc-save-state-atomic.patch #end