From d5ecef242e05d5a1ea55f68141543cb4e8909178 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 5 Mar 2020 16:17:42 +0100 Subject: [PATCH 01/18] crun-0.13-1 Signed-off-by: Giuseppe Scrivano --- .gitignore | 1 + crun.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index d183969..1d9fdb6 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ crun-0.1.1.tar.gz /crun-0.12.1.tar.gz /crun-0.12.2.tar.gz /crun-0.12.2.1.tar.gz +/crun-0.13.tar.gz diff --git a/crun.spec b/crun.spec index 063c946..c9a269c 100644 --- a/crun.spec +++ b/crun.spec @@ -1,6 +1,6 @@ Summary: OCI runtime written in C Name: crun -Version: 0.12.2.1 +Version: 0.13 Release: 1%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ @@ -44,6 +44,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Thu Mar 05 2020 Giuseppe Scrivano - 0.13-1 +- built version 0.13 + * Mon Feb 17 2020 Giuseppe Scrivano - 0.12.2.1-1 - built version 0.12.2.1 diff --git a/sources b/sources index b55823f..27ddfc5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (crun-0.12.2.1.tar.gz) = aaae4c9cc9bd4b51f22dbe519a3d208be775d96ca0bff9e6ac5e69e8e775e466bbef785423858515854f4e3bd23735e48e2c7ae709097a070fc52c46631fd6e6 +SHA512 (crun-0.13.tar.gz) = 314612eaf3097160e9369b3400ac8a83e173ef1a53295191c925e96212ba00d032883db1e4615b8ba42ddb08f1e31ca5e5088ea583a469835ac3c27087a88d6e From 38db2a0ca217e8fc9829e1b1d3913566362e6d6a Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 9 Apr 2020 12:28:09 +0200 Subject: [PATCH 02/18] crun-0.13-2 Signed-off-by: Giuseppe Scrivano --- 0001-linux-do-not-mount-label-cgroup.patch | 65 ++++++++++++++++++++++ crun.spec | 9 ++- 2 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 0001-linux-do-not-mount-label-cgroup.patch diff --git a/0001-linux-do-not-mount-label-cgroup.patch b/0001-linux-do-not-mount-label-cgroup.patch new file mode 100644 index 0000000..fbe1f09 --- /dev/null +++ b/0001-linux-do-not-mount-label-cgroup.patch @@ -0,0 +1,65 @@ +From ef38609ef628594da7b8adf94b6fcd5d14c88af7 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano +Date: Wed, 8 Apr 2020 16:47:22 +0200 +Subject: [PATCH] linux: do not mount label cgroup + +skip setting a context= option when mounting cgroup. At least Linux +5.6 fails with EINVAL if it set. + +Signed-off-by: Giuseppe Scrivano +--- + src/libcrun/linux.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c +index 6836326..92b2055 100644 +--- a/src/libcrun/linux.c ++++ b/src/libcrun/linux.c +@@ -602,7 +602,7 @@ do_mount_cgroup_v2 (libcrun_container_t *container, + { + crun_error_release (err); + +- ret = do_mount (container, "/sys/fs/cgroup", targetfd, target, NULL, MS_BIND | mountflags, NULL, 0, err); ++ ret = do_mount (container, "/sys/fs/cgroup", targetfd, target, NULL, MS_BIND | mountflags, NULL, 1, err); + } + return ret; + } +@@ -648,7 +648,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container, + if (UNLIKELY (subsystems == NULL)) + return -1; + +- ret = do_mount (container, source, targetfd, target, "tmpfs", mountflags, "size=1024k", 0, err); ++ ret = do_mount (container, source, targetfd, target, "tmpfs", mountflags, "size=1024k", 1, err); + if (UNLIKELY (ret < 0)) + return ret; + +@@ -704,7 +704,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container, + + if (has_cgroupns) + { +- ret = do_mount (container, source_path, subsystemfd, subsystem_path, "cgroup", mountflags, subsystem_fqn, 0, err); ++ ret = do_mount (container, source_path, subsystemfd, subsystem_path, "cgroup", mountflags, subsystem_fqn, 1, err); + if (UNLIKELY (ret < 0)) + { + if (crun_error_get_errno (err) == ENOENT || crun_error_get_errno (err) == ENODEV) +@@ -718,7 +718,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container, + } + else + { +- ret = do_mount (container, source_path, subsystemfd, subsystem_path, NULL, MS_BIND | mountflags, NULL, 0, err); ++ ret = do_mount (container, source_path, subsystemfd, subsystem_path, NULL, MS_BIND | mountflags, NULL, 1, err); + if (UNLIKELY (ret < 0)) + { + if (crun_error_get_errno (err) != ENOENT) +@@ -727,7 +727,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container, + crun_error_release (err); + + /* We might already be in a container. Mount the source subsystem. */ +- ret = do_mount (container, source_subsystem, subsystemfd, subsystem_path, NULL, MS_BIND | mountflags, NULL, 0, err); ++ ret = do_mount (container, source_subsystem, subsystemfd, subsystem_path, NULL, MS_BIND | mountflags, NULL, 1, err); + if (UNLIKELY (ret < 0)) + return ret; + } +-- +2.25.1 + diff --git a/crun.spec b/crun.spec index c9a269c..678bbd6 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.13 -Release: 1%{?dist} +Release: 2%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -22,11 +22,13 @@ BuildRequires: libtool BuildRequires: go-md2man Provides: oci-runtime = 2 +Patch0: 0001-linux-do-not-mount-label-cgroup.patch + %description crun is a runtime for running OCI containers %prep -%autosetup -n %{name}-%{version} +%autosetup -p1 -n %{name}-%{version} %build ./autogen.sh @@ -44,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Thu Apr 09 2020 Giuseppe Scrivano - 0.13-2 +- fix cgroup v1 mount on Linux 5.6 + * Thu Mar 05 2020 Giuseppe Scrivano - 0.13-1 - built version 0.13 From d9aa2854c61a12c4187d646f4f0295cd2d27962d Mon Sep 17 00:00:00 2001 From: RH Container Bot Date: Mon, 18 May 2020 09:13:50 +0000 Subject: [PATCH 03/18] crun-0.13-1 Signed-off-by: RH Container Bot --- crun.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crun.spec b/crun.spec index 678bbd6..958c3a9 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.13 -Release: 2%{?dist} +Release: 1%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -46,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Mon May 18 2020 RH Container Bot - 0.13-1 +- autobuilt 0.13 + * Thu Apr 09 2020 Giuseppe Scrivano - 0.13-2 - fix cgroup v1 mount on Linux 5.6 From 458febffb804d2015ecc12462fbda8ff7bf583a5 Mon Sep 17 00:00:00 2001 From: RH Container Bot Date: Tue, 7 Jul 2020 18:43:31 +0000 Subject: [PATCH 04/18] crun-0.14-1 Signed-off-by: RH Container Bot --- .gitignore | 1 + crun.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 1d9fdb6..1d2542e 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ crun-0.1.1.tar.gz /crun-0.12.2.tar.gz /crun-0.12.2.1.tar.gz /crun-0.13.tar.gz +/crun-0.14.tar.gz diff --git a/crun.spec b/crun.spec index 958c3a9..bde6f8f 100644 --- a/crun.spec +++ b/crun.spec @@ -1,6 +1,6 @@ Summary: OCI runtime written in C Name: crun -Version: 0.13 +Version: 0.14 Release: 1%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ @@ -46,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Tue Jul 07 2020 RH Container Bot - 0.14-1 +- autobuilt 0.14 + * Mon May 18 2020 RH Container Bot - 0.13-1 - autobuilt 0.13 diff --git a/sources b/sources index 27ddfc5..e4f6d19 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (crun-0.13.tar.gz) = 314612eaf3097160e9369b3400ac8a83e173ef1a53295191c925e96212ba00d032883db1e4615b8ba42ddb08f1e31ca5e5088ea583a469835ac3c27087a88d6e +SHA512 (crun-0.14.tar.gz) = a62e95945f94eb20b283bfd7ae24779b7f9b132521224f2a6db705967b53b049132c11a89dfb3ac385a2d6c2a7d9314d4a4b7f7585a516f170872d87ec36a6c0 From 62d4aa5755a0c6e78f406d0668c994a32262adcc Mon Sep 17 00:00:00 2001 From: RH Container Bot Date: Mon, 13 Jul 2020 15:09:50 +0000 Subject: [PATCH 05/18] crun-0.14.1-1 Signed-off-by: RH Container Bot --- .gitignore | 1 + crun.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 1d2542e..ce20ab0 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ crun-0.1.1.tar.gz /crun-0.12.2.1.tar.gz /crun-0.13.tar.gz /crun-0.14.tar.gz +/crun-0.14.1.tar.gz diff --git a/crun.spec b/crun.spec index bde6f8f..30614df 100644 --- a/crun.spec +++ b/crun.spec @@ -1,6 +1,6 @@ Summary: OCI runtime written in C Name: crun -Version: 0.14 +Version: 0.14.1 Release: 1%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ @@ -46,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Mon Jul 13 2020 RH Container Bot - 0.14.1-1 +- autobuilt 0.14.1 + * Tue Jul 07 2020 RH Container Bot - 0.14-1 - autobuilt 0.14 diff --git a/sources b/sources index e4f6d19..0d91064 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (crun-0.14.tar.gz) = a62e95945f94eb20b283bfd7ae24779b7f9b132521224f2a6db705967b53b049132c11a89dfb3ac385a2d6c2a7d9314d4a4b7f7585a516f170872d87ec36a6c0 +SHA512 (crun-0.14.1.tar.gz) = 420f1713653cbd17df83b2a63d163aaa41baf78115b093877a2241305e10b2ceeaf08ea6700658eca894729ff8a20cbc66f868d18d27fba3fbedf1a9993b122e From b087048d2852a1d9b1f1bb0d69bc495d7dce794a Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Fri, 17 Jul 2020 10:34:11 -0400 Subject: [PATCH 06/18] patch merged upstream Signed-off-by: Lokesh Mandvekar --- 0001-linux-do-not-mount-label-cgroup.patch | 65 ---------------------- 1 file changed, 65 deletions(-) delete mode 100644 0001-linux-do-not-mount-label-cgroup.patch diff --git a/0001-linux-do-not-mount-label-cgroup.patch b/0001-linux-do-not-mount-label-cgroup.patch deleted file mode 100644 index fbe1f09..0000000 --- a/0001-linux-do-not-mount-label-cgroup.patch +++ /dev/null @@ -1,65 +0,0 @@ -From ef38609ef628594da7b8adf94b6fcd5d14c88af7 Mon Sep 17 00:00:00 2001 -From: Giuseppe Scrivano -Date: Wed, 8 Apr 2020 16:47:22 +0200 -Subject: [PATCH] linux: do not mount label cgroup - -skip setting a context= option when mounting cgroup. At least Linux -5.6 fails with EINVAL if it set. - -Signed-off-by: Giuseppe Scrivano ---- - src/libcrun/linux.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c -index 6836326..92b2055 100644 ---- a/src/libcrun/linux.c -+++ b/src/libcrun/linux.c -@@ -602,7 +602,7 @@ do_mount_cgroup_v2 (libcrun_container_t *container, - { - crun_error_release (err); - -- ret = do_mount (container, "/sys/fs/cgroup", targetfd, target, NULL, MS_BIND | mountflags, NULL, 0, err); -+ ret = do_mount (container, "/sys/fs/cgroup", targetfd, target, NULL, MS_BIND | mountflags, NULL, 1, err); - } - return ret; - } -@@ -648,7 +648,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container, - if (UNLIKELY (subsystems == NULL)) - return -1; - -- ret = do_mount (container, source, targetfd, target, "tmpfs", mountflags, "size=1024k", 0, err); -+ ret = do_mount (container, source, targetfd, target, "tmpfs", mountflags, "size=1024k", 1, err); - if (UNLIKELY (ret < 0)) - return ret; - -@@ -704,7 +704,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container, - - if (has_cgroupns) - { -- ret = do_mount (container, source_path, subsystemfd, subsystem_path, "cgroup", mountflags, subsystem_fqn, 0, err); -+ ret = do_mount (container, source_path, subsystemfd, subsystem_path, "cgroup", mountflags, subsystem_fqn, 1, err); - if (UNLIKELY (ret < 0)) - { - if (crun_error_get_errno (err) == ENOENT || crun_error_get_errno (err) == ENODEV) -@@ -718,7 +718,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container, - } - else - { -- ret = do_mount (container, source_path, subsystemfd, subsystem_path, NULL, MS_BIND | mountflags, NULL, 0, err); -+ ret = do_mount (container, source_path, subsystemfd, subsystem_path, NULL, MS_BIND | mountflags, NULL, 1, err); - if (UNLIKELY (ret < 0)) - { - if (crun_error_get_errno (err) != ENOENT) -@@ -727,7 +727,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container, - crun_error_release (err); - - /* We might already be in a container. Mount the source subsystem. */ -- ret = do_mount (container, source_subsystem, subsystemfd, subsystem_path, NULL, MS_BIND | mountflags, NULL, 0, err); -+ ret = do_mount (container, source_subsystem, subsystemfd, subsystem_path, NULL, MS_BIND | mountflags, NULL, 1, err); - if (UNLIKELY (ret < 0)) - return ret; - } --- -2.25.1 - From adc2aef91224d32899060fc044a56fffc8e0bcf3 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Fri, 17 Jul 2020 10:40:23 -0400 Subject: [PATCH 07/18] remove unused patch listing from spec Signed-off-by: Lokesh Mandvekar --- crun.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/crun.spec b/crun.spec index 30614df..aa46b79 100644 --- a/crun.spec +++ b/crun.spec @@ -22,8 +22,6 @@ BuildRequires: libtool BuildRequires: go-md2man Provides: oci-runtime = 2 -Patch0: 0001-linux-do-not-mount-label-cgroup.patch - %description crun is a runtime for running OCI containers From 341d15c522a8c217a1db0f8d9f353de70231a4a1 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 27 Aug 2020 13:53:39 +0200 Subject: [PATCH 08/18] crun-0.14.1-3 Signed-off-by: Giuseppe Scrivano --- ...x-race-condition-when-reading-cgroup.patch | 42 +++++++++++++++++++ crun.spec | 7 +++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 0001-state-fix-race-condition-when-reading-cgroup.patch diff --git a/0001-state-fix-race-condition-when-reading-cgroup.patch b/0001-state-fix-race-condition-when-reading-cgroup.patch new file mode 100644 index 0000000..cbdaf76 --- /dev/null +++ b/0001-state-fix-race-condition-when-reading-cgroup.patch @@ -0,0 +1,42 @@ +From 1a71c82ea9fd3561b16e2730bea9673219c15843 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano +Date: Thu, 27 Aug 2020 12:10:21 +0200 +Subject: [PATCH] state: fix race condition when reading cgroup + +by the time crun attempts to read from the cgroup, systemd might have +already cleaned it up. When using systemd, on ENOENT state reports +the container as "stopped" instead of an error. + +Closes: https://github.com/containers/podman/issues/7148 + +Signed-off-by: Giuseppe Scrivano +--- + src/libcrun/container.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/libcrun/container.c b/src/libcrun/container.c +index 3723300..289e551 100644 +--- a/src/libcrun/container.c ++++ b/src/libcrun/container.c +@@ -2112,7 +2112,17 @@ libcrun_get_container_state_string (const char *id, libcrun_container_status_t * + + ret = libcrun_cgroup_is_container_paused (status->cgroup_path, cgroup_mode, &paused, err); + if (UNLIKELY (ret < 0)) +- return ret; ++ { ++ /* The cgroup might have been cleaned up by systemd by the time we try to read it, so ignore ENOENT. */ ++ if (status->systemd_cgroup && crun_error_get_errno (err) == ENOENT) ++ { ++ crun_error_release (err); ++ *container_status = "stopped"; ++ return 0; ++ } ++ ++ return ret; ++ } + } + + if (! *running) +-- +2.26.2 + diff --git a/crun.spec b/crun.spec index aa46b79..751eff6 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.14.1 -Release: 1%{?dist} +Release: 3%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -22,6 +22,8 @@ BuildRequires: libtool BuildRequires: go-md2man Provides: oci-runtime = 2 +Patch0: 0001-state-fix-race-condition-when-reading-cgroup.patch + %description crun is a runtime for running OCI containers @@ -44,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Thu Aug 27 2020 Giuseppe Scrivano - 0.14.1-3 +- backport ed9c3e6f466dfb6d2e79802060fabd5f4b66f78e + * Mon Jul 13 2020 RH Container Bot - 0.14.1-1 - autobuilt 0.14.1 From b92c7f5a7001230dc556ac0444ed9da1055ea06e Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Mon, 31 Aug 2020 14:47:08 -0400 Subject: [PATCH 09/18] crun-0.14.1-4 - rebuild Signed-off-by: Lokesh Mandvekar --- crun.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crun.spec b/crun.spec index 751eff6..40e8998 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.14.1 -Release: 3%{?dist} +Release: 4%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -46,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Mon Aug 31 2020 Lokesh Mandvekar - 0.14.1-4 +- rebuild + * Thu Aug 27 2020 Giuseppe Scrivano - 0.14.1-3 - backport ed9c3e6f466dfb6d2e79802060fabd5f4b66f78e From d7c4d6886477698e4c01a32014e53901aff8c13c Mon Sep 17 00:00:00 2001 From: RH Container Bot Date: Wed, 2 Sep 2020 13:48:43 +0000 Subject: [PATCH 10/18] crun-0.14.1-1 Signed-off-by: RH Container Bot --- crun.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crun.spec b/crun.spec index 40e8998..5b4de9b 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.14.1 -Release: 4%{?dist} +Release: 1%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -46,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Wed Sep 2 2020 RH Container Bot - 0.14.1-1 +- autobuilt 0.14.1 + * Mon Aug 31 2020 Lokesh Mandvekar - 0.14.1-4 - rebuild From 417f81fd00b916102ec98726c4de3737d62743ed Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 14 Sep 2020 12:05:15 +0200 Subject: [PATCH 11/18] crun-0.14.1-5 Signed-off-by: Giuseppe Scrivano --- ...apabilities-get-last_cap-dynamically.patch | 100 ++++++++++++++++++ crun.spec | 6 +- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 0001-Capabilities-get-last_cap-dynamically.patch diff --git a/0001-Capabilities-get-last_cap-dynamically.patch b/0001-Capabilities-get-last_cap-dynamically.patch new file mode 100644 index 0000000..4a4751f --- /dev/null +++ b/0001-Capabilities-get-last_cap-dynamically.patch @@ -0,0 +1,100 @@ +From 2dd22b2f1aa13edc704cf5a6e50793457076789e Mon Sep 17 00:00:00 2001 +From: Ed Santiago +Date: Mon, 31 Aug 2020 12:09:39 -0600 +Subject: [PATCH] Capabilities: get last_cap dynamically + +Determine the kernel capability set at run time, for +consistency with runc. + +Signed-off-by: Ed Santiago +(cherry picked from commit 4453af4c060e380051552ee589af5cad37f2ae82) +--- + src/libcrun/container.c | 4 ++++ + src/libcrun/linux.c | 29 +++++++++++++++++++++++++++-- + src/libcrun/linux.h | 1 + + 3 files changed, 32 insertions(+), 2 deletions(-) + +diff --git a/src/libcrun/container.c b/src/libcrun/container.c +index 3723300..0870cf2 100644 +--- a/src/libcrun/container.c ++++ b/src/libcrun/container.c +@@ -480,6 +480,10 @@ initialize_security (runtime_spec_schema_config_schema_process *proc, libcrun_er + if (UNLIKELY (ret < 0)) + return ret; + ++ ret = libcrun_init_caps (err); ++ if (UNLIKELY (ret < 0)) ++ return ret; ++ + return 0; + } + +diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c +index fa87d82..316943d 100644 +--- a/src/libcrun/linux.c ++++ b/src/libcrun/linux.c +@@ -2291,6 +2291,28 @@ has_cap_on (int cap, long unsigned *caps) + return (CAP_TO_MASK_1 (cap) & caps[1]); + } + ++static unsigned long cap_last_cap; ++ ++int ++libcrun_init_caps (libcrun_error_t *err) ++{ ++ cleanup_close int fd = -1; ++ int ret; ++ char buffer[16]; ++ fd = open ("/proc/sys/kernel/cap_last_cap", O_RDONLY); ++ if (fd < 0) ++ return crun_make_error (err, errno, "open /proc/sys/kernel/cap_last_cap"); ++ ret = TEMP_FAILURE_RETRY (read (fd, buffer, sizeof (buffer))); ++ if (UNLIKELY (ret < 0)) ++ return crun_make_error (err, errno, "read from /proc/sys/kernel/cap_last_cap"); ++ ++ errno = 0; ++ cap_last_cap = strtoul (buffer, NULL, 10); ++ if (errno != 0) ++ return crun_make_error (err, errno, "strtoul() from /proc/sys/kernel/cap_last_cap"); ++ return 0; ++} ++ + static int + set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_privs, libcrun_error_t *err) + { +@@ -2299,7 +2321,10 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri + struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 }; + struct __user_cap_data_struct data[2] = { { 0 } }; + +- for (cap = 0; cap <= CAP_LAST_CAP; cap++) ++ if (cap_last_cap == 0) ++ return crun_make_error (err, 0, "internal error: max number of capabilities not initialized"); ++ ++ for (cap = 0; cap <= cap_last_cap; cap++) + if (! has_cap_on (cap, caps->bounding)) + { + ret = prctl (PR_CAPBSET_DROP, cap, 0, 0, 0); +@@ -2335,7 +2360,7 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri + if (UNLIKELY (ret < 0 && !(errno == EINVAL || errno == EPERM))) + return crun_make_error (err, errno, "prctl reset ambient"); + +- for (cap = 0; cap <= CAP_LAST_CAP; cap++) ++ for (cap = 0; cap <= cap_last_cap; cap++) + if (has_cap_on (cap, caps->ambient)) + { + ret = prctl (PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0); +diff --git a/src/libcrun/linux.h b/src/libcrun/linux.h +index a92b5f1..fc70feb 100644 +--- a/src/libcrun/linux.h ++++ b/src/libcrun/linux.h +@@ -38,6 +38,7 @@ pid_t libcrun_run_linux_container (libcrun_container_t *container, + libcrun_error_t *err); + int get_notify_fd (libcrun_context_t *context, libcrun_container_t *container, int *notify_socket_out, libcrun_error_t *err); + int libcrun_set_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *err); ++int libcrun_init_caps (libcrun_error_t *err); + int libcrun_do_pivot_root (libcrun_container_t *container, bool no_pivot, const char *rootfs, libcrun_error_t *err); + int libcrun_reopen_dev_null (libcrun_error_t *err); + int libcrun_set_usernamespace (libcrun_container_t *container, pid_t pid, libcrun_error_t *err); +-- +2.26.2 + diff --git a/crun.spec b/crun.spec index 5b4de9b..230b32b 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.14.1 -Release: 1%{?dist} +Release: 5%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -23,6 +23,7 @@ BuildRequires: go-md2man Provides: oci-runtime = 2 Patch0: 0001-state-fix-race-condition-when-reading-cgroup.patch +Patch1: 0001-Capabilities-get-last_cap-dynamically.patch %description crun is a runtime for running OCI containers @@ -46,6 +47,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Mon Sep 14 2020 Giuseppe Scrivano - 0.14.1-5 +- backport 4453af4c060e380051552ee589af5cad37f2ae82 + * Wed Sep 2 2020 RH Container Bot - 0.14.1-1 - autobuilt 0.14.1 From d8fe8ebf48a1f2378c88b31e4d796e3cefcc139c Mon Sep 17 00:00:00 2001 From: RH Container Bot Date: Mon, 14 Sep 2020 11:14:05 +0000 Subject: [PATCH 12/18] crun-0.14.1-1 autobuilt 0.14.1 Signed-off-by: RH Container Bot --- crun.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crun.spec b/crun.spec index 230b32b..9cb4e2e 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.14.1 -Release: 5%{?dist} +Release: 1%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -47,6 +47,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Mon Sep 14 2020 RH Container Bot - 0.14.1-1 +- autobuilt 0.14.1 + * Mon Sep 14 2020 Giuseppe Scrivano - 0.14.1-5 - backport 4453af4c060e380051552ee589af5cad37f2ae82 From 552ec9ef644b86e335242c250ee55ec270145d7d Mon Sep 17 00:00:00 2001 From: RH Container Bot Date: Wed, 23 Sep 2020 15:14:35 +0000 Subject: [PATCH 13/18] crun-0.15-1 autobuilt 0.15 Signed-off-by: RH Container Bot --- .gitignore | 1 + crun.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index ce20ab0..515f617 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ crun-0.1.1.tar.gz /crun-0.13.tar.gz /crun-0.14.tar.gz /crun-0.14.1.tar.gz +/crun-0.15.tar.gz diff --git a/crun.spec b/crun.spec index 9cb4e2e..300482a 100644 --- a/crun.spec +++ b/crun.spec @@ -1,6 +1,6 @@ Summary: OCI runtime written in C Name: crun -Version: 0.14.1 +Version: 0.15 Release: 1%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ @@ -47,6 +47,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Wed Sep 23 2020 RH Container Bot - 0.15-1 +- autobuilt 0.15 + * Mon Sep 14 2020 RH Container Bot - 0.14.1-1 - autobuilt 0.14.1 diff --git a/sources b/sources index 0d91064..07332d6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (crun-0.14.1.tar.gz) = 420f1713653cbd17df83b2a63d163aaa41baf78115b093877a2241305e10b2ceeaf08ea6700658eca894729ff8a20cbc66f868d18d27fba3fbedf1a9993b122e +SHA512 (crun-0.15.tar.gz) = f9a9e94b6a9c5cff01fe93b1c3d5876a0794e6288b802cf579556e11411ca5d6e63cae3859aaa4df4bb600e2d27aa131872a93a92784b9b48f7885411d86f325 From 8883e62ca75c44d081b5932cab968d04060d1af6 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 23 Sep 2020 17:23:44 +0200 Subject: [PATCH 14/18] remove old patches Signed-off-by: Giuseppe Scrivano --- ...apabilities-get-last_cap-dynamically.patch | 100 ------------------ ...x-race-condition-when-reading-cgroup.patch | 42 -------- crun.spec | 3 - 3 files changed, 145 deletions(-) delete mode 100644 0001-Capabilities-get-last_cap-dynamically.patch delete mode 100644 0001-state-fix-race-condition-when-reading-cgroup.patch diff --git a/0001-Capabilities-get-last_cap-dynamically.patch b/0001-Capabilities-get-last_cap-dynamically.patch deleted file mode 100644 index 4a4751f..0000000 --- a/0001-Capabilities-get-last_cap-dynamically.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 2dd22b2f1aa13edc704cf5a6e50793457076789e Mon Sep 17 00:00:00 2001 -From: Ed Santiago -Date: Mon, 31 Aug 2020 12:09:39 -0600 -Subject: [PATCH] Capabilities: get last_cap dynamically - -Determine the kernel capability set at run time, for -consistency with runc. - -Signed-off-by: Ed Santiago -(cherry picked from commit 4453af4c060e380051552ee589af5cad37f2ae82) ---- - src/libcrun/container.c | 4 ++++ - src/libcrun/linux.c | 29 +++++++++++++++++++++++++++-- - src/libcrun/linux.h | 1 + - 3 files changed, 32 insertions(+), 2 deletions(-) - -diff --git a/src/libcrun/container.c b/src/libcrun/container.c -index 3723300..0870cf2 100644 ---- a/src/libcrun/container.c -+++ b/src/libcrun/container.c -@@ -480,6 +480,10 @@ initialize_security (runtime_spec_schema_config_schema_process *proc, libcrun_er - if (UNLIKELY (ret < 0)) - return ret; - -+ ret = libcrun_init_caps (err); -+ if (UNLIKELY (ret < 0)) -+ return ret; -+ - return 0; - } - -diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c -index fa87d82..316943d 100644 ---- a/src/libcrun/linux.c -+++ b/src/libcrun/linux.c -@@ -2291,6 +2291,28 @@ has_cap_on (int cap, long unsigned *caps) - return (CAP_TO_MASK_1 (cap) & caps[1]); - } - -+static unsigned long cap_last_cap; -+ -+int -+libcrun_init_caps (libcrun_error_t *err) -+{ -+ cleanup_close int fd = -1; -+ int ret; -+ char buffer[16]; -+ fd = open ("/proc/sys/kernel/cap_last_cap", O_RDONLY); -+ if (fd < 0) -+ return crun_make_error (err, errno, "open /proc/sys/kernel/cap_last_cap"); -+ ret = TEMP_FAILURE_RETRY (read (fd, buffer, sizeof (buffer))); -+ if (UNLIKELY (ret < 0)) -+ return crun_make_error (err, errno, "read from /proc/sys/kernel/cap_last_cap"); -+ -+ errno = 0; -+ cap_last_cap = strtoul (buffer, NULL, 10); -+ if (errno != 0) -+ return crun_make_error (err, errno, "strtoul() from /proc/sys/kernel/cap_last_cap"); -+ return 0; -+} -+ - static int - set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_privs, libcrun_error_t *err) - { -@@ -2299,7 +2321,10 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri - struct __user_cap_header_struct hdr = { _LINUX_CAPABILITY_VERSION_3, 0 }; - struct __user_cap_data_struct data[2] = { { 0 } }; - -- for (cap = 0; cap <= CAP_LAST_CAP; cap++) -+ if (cap_last_cap == 0) -+ return crun_make_error (err, 0, "internal error: max number of capabilities not initialized"); -+ -+ for (cap = 0; cap <= cap_last_cap; cap++) - if (! has_cap_on (cap, caps->bounding)) - { - ret = prctl (PR_CAPBSET_DROP, cap, 0, 0, 0); -@@ -2335,7 +2360,7 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri - if (UNLIKELY (ret < 0 && !(errno == EINVAL || errno == EPERM))) - return crun_make_error (err, errno, "prctl reset ambient"); - -- for (cap = 0; cap <= CAP_LAST_CAP; cap++) -+ for (cap = 0; cap <= cap_last_cap; cap++) - if (has_cap_on (cap, caps->ambient)) - { - ret = prctl (PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0); -diff --git a/src/libcrun/linux.h b/src/libcrun/linux.h -index a92b5f1..fc70feb 100644 ---- a/src/libcrun/linux.h -+++ b/src/libcrun/linux.h -@@ -38,6 +38,7 @@ pid_t libcrun_run_linux_container (libcrun_container_t *container, - libcrun_error_t *err); - int get_notify_fd (libcrun_context_t *context, libcrun_container_t *container, int *notify_socket_out, libcrun_error_t *err); - int libcrun_set_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *err); -+int libcrun_init_caps (libcrun_error_t *err); - int libcrun_do_pivot_root (libcrun_container_t *container, bool no_pivot, const char *rootfs, libcrun_error_t *err); - int libcrun_reopen_dev_null (libcrun_error_t *err); - int libcrun_set_usernamespace (libcrun_container_t *container, pid_t pid, libcrun_error_t *err); --- -2.26.2 - diff --git a/0001-state-fix-race-condition-when-reading-cgroup.patch b/0001-state-fix-race-condition-when-reading-cgroup.patch deleted file mode 100644 index cbdaf76..0000000 --- a/0001-state-fix-race-condition-when-reading-cgroup.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 1a71c82ea9fd3561b16e2730bea9673219c15843 Mon Sep 17 00:00:00 2001 -From: Giuseppe Scrivano -Date: Thu, 27 Aug 2020 12:10:21 +0200 -Subject: [PATCH] state: fix race condition when reading cgroup - -by the time crun attempts to read from the cgroup, systemd might have -already cleaned it up. When using systemd, on ENOENT state reports -the container as "stopped" instead of an error. - -Closes: https://github.com/containers/podman/issues/7148 - -Signed-off-by: Giuseppe Scrivano ---- - src/libcrun/container.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/src/libcrun/container.c b/src/libcrun/container.c -index 3723300..289e551 100644 ---- a/src/libcrun/container.c -+++ b/src/libcrun/container.c -@@ -2112,7 +2112,17 @@ libcrun_get_container_state_string (const char *id, libcrun_container_status_t * - - ret = libcrun_cgroup_is_container_paused (status->cgroup_path, cgroup_mode, &paused, err); - if (UNLIKELY (ret < 0)) -- return ret; -+ { -+ /* The cgroup might have been cleaned up by systemd by the time we try to read it, so ignore ENOENT. */ -+ if (status->systemd_cgroup && crun_error_get_errno (err) == ENOENT) -+ { -+ crun_error_release (err); -+ *container_status = "stopped"; -+ return 0; -+ } -+ -+ return ret; -+ } - } - - if (! *running) --- -2.26.2 - diff --git a/crun.spec b/crun.spec index 300482a..e77286f 100644 --- a/crun.spec +++ b/crun.spec @@ -22,9 +22,6 @@ BuildRequires: libtool BuildRequires: go-md2man Provides: oci-runtime = 2 -Patch0: 0001-state-fix-race-condition-when-reading-cgroup.patch -Patch1: 0001-Capabilities-get-last_cap-dynamically.patch - %description crun is a runtime for running OCI containers From 87ad56108944e6a484ab8bb2958ce0139786e080 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 23 Sep 2020 17:27:34 +0200 Subject: [PATCH 15/18] rebuild Signed-off-by: Giuseppe Scrivano (cherry picked from commit 89169426ca4a015e5ca8af27d04bf2d6ab2097fa) --- crun.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/crun.spec b/crun.spec index e77286f..921c6ff 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.15 -Release: 1%{?dist} +Release: 2%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -44,12 +44,18 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Wed Sep 23 2020 Giuseppe Scrivano - 0.15-2 +- rebuild + * Wed Sep 23 2020 RH Container Bot - 0.15-1 - autobuilt 0.15 * Mon Sep 14 2020 RH Container Bot - 0.14.1-1 - autobuilt 0.14.1 +* Wed Sep 23 2020 Giuseppe Scrivano - 0.15-1 +- build version 0.15 + * Mon Sep 14 2020 Giuseppe Scrivano - 0.14.1-5 - backport 4453af4c060e380051552ee589af5cad37f2ae82 From 6ee1339e66d6736c74c0c5b9333f57798dcf623a Mon Sep 17 00:00:00 2001 From: RH Container Bot Date: Wed, 23 Sep 2020 16:13:15 +0000 Subject: [PATCH 16/18] crun-0.15-1 autobuilt 0.15 Signed-off-by: RH Container Bot --- crun.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crun.spec b/crun.spec index 921c6ff..90a862d 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.15 -Release: 2%{?dist} +Release: 1%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -44,6 +44,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Wed Sep 23 2020 RH Container Bot - 0.15-1 +- autobuilt 0.15 + * Wed Sep 23 2020 Giuseppe Scrivano - 0.15-2 - rebuild From b39f261df21808641e5eec528c723766bd88c029 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 30 Sep 2020 14:33:23 +0200 Subject: [PATCH 17/18] crun-0.15-3 Signed-off-by: Giuseppe Scrivano --- 0001-exec-check-read-bytes-from-sync.patch | 35 ++++++++++++++++++++++ crun.spec | 7 ++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 0001-exec-check-read-bytes-from-sync.patch diff --git a/0001-exec-check-read-bytes-from-sync.patch b/0001-exec-check-read-bytes-from-sync.patch new file mode 100644 index 0000000..fc41655 --- /dev/null +++ b/0001-exec-check-read-bytes-from-sync.patch @@ -0,0 +1,35 @@ +From 20c56beb3307b0ac07af0edbbbe49ec65819f559 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano +Date: Tue, 29 Sep 2020 16:52:02 +0200 +Subject: [PATCH] exec: check read bytes from sync + +when reading from the exec sync pipe, make sure it reads exactly one +byte otherwise return an error. + +Closes: https://github.com/containers/crun/issues/511 + +Signed-off-by: Giuseppe Scrivano +--- + src/libcrun/container.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcrun/container.c b/src/libcrun/container.c +index 927986a..0308992 100644 +--- a/src/libcrun/container.c ++++ b/src/libcrun/container.c +@@ -2595,10 +2595,10 @@ libcrun_container_exec (libcrun_context_t *context, const char *id, runtime_spec + } + } + +- TEMP_FAILURE_RETRY (read (pipefd0, &b, sizeof (b))); ++ ret = TEMP_FAILURE_RETRY (read (pipefd0, &b, sizeof (b))); + TEMP_FAILURE_RETRY (close (pipefd0)); + pipefd0 = -1; +- if (b != '0') ++ if (ret != 1 || b != '0') + ret = -1; + else + { +-- +2.26.2 + diff --git a/crun.spec b/crun.spec index 90a862d..95dafa4 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.15 -Release: 1%{?dist} +Release: 3%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -22,6 +22,8 @@ BuildRequires: libtool BuildRequires: go-md2man Provides: oci-runtime = 2 +Patch0: 0001-exec-check-read-bytes-from-sync.patch + %description crun is a runtime for running OCI containers @@ -44,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Wed Sep 30 2020 Giuseppe Scrivano - 0.15-3 +- backport "exec: check read bytes from sync" + * Wed Sep 23 2020 RH Container Bot - 0.15-1 - autobuilt 0.15 From ba1d555f5481853023fbead9224f31610e3e467c Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Wed, 30 Sep 2020 11:49:43 -0400 Subject: [PATCH 18/18] crun-0.15-5 - rebuild to bump release tag ahead of older fedoras Signed-off-by: Lokesh Mandvekar (cherry picked from commit 2d611f8179de715143822e36d37d59d28d8c471b) Signed-off-by: Lokesh Mandvekar --- crun.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crun.spec b/crun.spec index 95dafa4..d745233 100644 --- a/crun.spec +++ b/crun.spec @@ -1,7 +1,7 @@ Summary: OCI runtime written in C Name: crun Version: 0.15 -Release: 3%{?dist} +Release: 5%{?dist} Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.gz License: GPLv3+ URL: https://github.com/containers/crun @@ -46,6 +46,9 @@ rm -rf $RPM_BUILD_ROOT/usr/lib* %{_mandir}/man1/* %changelog +* Wed Sep 30 2020 Lokesh Mandvekar - 0.15-5 +- rebuild to bump release tag ahead of older fedoras + * Wed Sep 30 2020 Giuseppe Scrivano - 0.15-3 - backport "exec: check read bytes from sync"