Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package runc for openSUSE:Factory checked in at 2023-07-25 11:23:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/runc (Old) and /work/SRC/openSUSE:Factory/.runc.new.1467 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "runc" Tue Jul 25 11:23:38 2023 rev:56 rq:1099532 version:1.1.8 Changes: -------- --- /work/SRC/openSUSE:Factory/runc/runc.changes 2023-04-28 16:22:53.717844566 +0200 +++ /work/SRC/openSUSE:Factory/.runc.new.1467/runc.changes 2023-07-25 11:25:39.740530072 +0200 @@ -1,0 +2,6 @@ +Wed Jul 19 14:04:08 UTC 2023 - Aleksa Sarai <[email protected]> + +- Update to runc v1.1.8. Upstream changelog is available from + <https://github.com/opencontainers/runc/releases/tag/v1.1.8>. + +------------------------------------------------------------------- Old: ---- runc-1.1.7.tar.xz runc-1.1.7.tar.xz.asc New: ---- runc-1.1.8.tar.xz runc-1.1.8.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ runc.spec ++++++ --- /var/tmp/diff_new_pack.c1Pzve/_old 2023-07-25 11:25:40.264533127 +0200 +++ /var/tmp/diff_new_pack.c1Pzve/_new 2023-07-25 11:25:40.268533150 +0200 @@ -18,13 +18,13 @@ # MANUAL: Make sure you update this each time you update runc. -%define git_version 860f061b76bb4fc671f0f9e900f7d80ff93d4eb7 -%define git_short 860f061b76bb +%define git_version 82f18fe0e44a59034f3e1f45e475fa5636e539aa +%define git_short 82f18fe0e44a %define project github.com/opencontainers/runc Name: runc -Version: 1.1.7 +Version: 1.1.8 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 ++++++ runc-1.1.7.tar.xz -> runc-1.1.8.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/.cirrus.yml new/runc-1.1.8/.cirrus.yml --- old/runc-1.1.7/.cirrus.yml 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/.cirrus.yml 2023-07-19 07:15:32.000000000 +0200 @@ -1,7 +1,8 @@ --- -# We use Cirrus for Vagrant tests and native CentOS 7 and 8, because macOS -# instances of GHA are too slow and flaky, and Linux instances of GHA do not -# support KVM. +# We use Cirrus for CentOS (native) and Fedora (in Vagrant), because neither +# CentOS nor Fedora is available on GHA natively, so the only option is VM. +# In GHA, nested virtualization is only supported on macOS instances, which +# are slow and flaky. # NOTE Cirrus execution environments lack a terminal, needed for # some integration tests. So we use `ssh -tt` command to fake a terminal. @@ -24,9 +25,9 @@ platform: linux nested_virtualization: true # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits - cpu: 8 + cpu: 4 # Memory limit: `4GB * NCPU` - memory: 32G + memory: 16G host_info_script: | uname -a @@ -37,12 +38,18 @@ echo "-----" df -T install_libvirt_vagrant_script: | + curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list + sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list apt-get update - apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt + apt-get install -y libvirt-daemon libvirt-daemon-system vagrant systemctl enable --now libvirtd + apt-get build-dep -y vagrant ruby-libvirt + apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev + vagrant plugin install vagrant-libvirt vagrant_cache: - fingerprint_script: uname -s ; cat Vagrantfile.$DISTRO - folder: /root/.vagrant.d + fingerprint_script: cat Vagrantfile.$DISTRO + folder: /root/.vagrant.d/boxes vagrant_up_script: | ln -sf Vagrantfile.$DISTRO Vagrantfile # Retry if it fails (download.fedoraproject.org returns 404 sometimes) @@ -71,7 +78,7 @@ HOME: /root CIRRUS_WORKING_DIR: /home/runc GO_VERSION: "1.19.8" - BATS_VERSION: "v1.3.0" + BATS_VERSION: "v1.9.0" RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs # yamllint disable rule:key-duplicates matrix: @@ -104,6 +111,11 @@ centos-stream-9) dnf config-manager --set-enabled crb # for glibc-static dnf -y install epel-release epel-next-release # for fuse-sshfs + # Delegate all cgroup v2 controllers to rootless user via --systemd-cgroup. + # The default (since systemd v252) is "pids memory cpu". + mkdir -p /etc/systemd/system/[email protected] + printf "[Service]\nDelegate=yes\n" > /etc/systemd/system/[email protected]/delegate.conf + systemctl daemon-reload ;; esac # Work around dnf mirror failures by retrying a few times. @@ -163,13 +175,19 @@ integration_fs_script: | ssh -tt localhost "make -C /home/runc localintegration" integration_systemd_rootless_script: | - echo "SKIP: integration_systemd_rootless_script requires cgroup v2" + case $DISTRO in + centos-7|centos-stream-8) + echo "SKIP: integration_systemd_rootless_script requires cgroup v2" + ;; + *) + ssh -tt localhost "make -C /home/runc localrootlessintegration RUNC_USE_SYSTEMD=yes" + esac integration_fs_rootless_script: | case $DISTRO in centos-7) echo "SKIP: FIXME: integration_fs_rootless_script is skipped because of EPERM on writing cgroup.procs" ;; - centos-stream-8) + *) ssh -tt localhost "make -C /home/runc localrootlessintegration" ;; esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/.codespellrc new/runc-1.1.8/.codespellrc --- old/runc-1.1.7/.codespellrc 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/.codespellrc 2023-07-19 07:15:32.000000000 +0200 @@ -1,3 +1,3 @@ [codespell] skip = ./vendor,./.git,./go.sum -ignore-words-list = clos,creat,ro,complies +ignore-words-list = clos,mis diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/.github/workflows/test.yml new/runc-1.1.8/.github/workflows/test.yml --- old/runc-1.1.7/.github/workflows/test.yml 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/.github/workflows/test.yml 2023-07-19 07:15:32.000000000 +0200 @@ -70,7 +70,7 @@ - name: install bats uses: mig4/setup-bats@v1 with: - bats-version: 1.3.0 + bats-version: 1.9.0 - name: unit test if: matrix.rootless != 'rootless' @@ -124,5 +124,4 @@ go-version: 1.x # Latest stable - name: unit test - # cgo is disabled by default when cross-compiling - run: sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 CGO_CFLAGS=-fno-stack-protector localunittest + run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/CHANGELOG.md new/runc-1.1.8/CHANGELOG.md --- old/runc-1.1.7/CHANGELOG.md 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/CHANGELOG.md 2023-07-19 07:15:32.000000000 +0200 @@ -6,6 +6,31 @@ ## [Unreleased 1.1.z] +## [1.1.8] - 2023-07-20 + +> 海纳ç¾å· æ容ä¹å¤§ + +### Added + +* Support riscv64. (#3905) + +### Fixed + +* init: do not print environment variable value. (#3879) +* libct: fix a race with systemd removal. (#3877) +* tests/int: increase num retries for oom tests. (#3891) +* man/runc: fixes. (#3892) +* Fix tmpfs mode opts when dir already exists. (#3916) +* docs/systemd: fix a broken link. (#3917) +* ci/cirrus: enable some rootless tests on cs9. (#3918) +* runc delete: call systemd's reset-failed. (#3932) +* libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed. (#3921) + +### Changed + +* CI: bump Fedora, Vagrant, bats. (#3878) +* `.codespellrc`: update for 2.2.5. (#3909) + ## [1.1.7] - 2023-04-26 > ÐоÑевала ÑÑÑка золоÑÐ°Ñ Ð½Ð° гÑÑди > ÑÑеÑа-великана. @@ -410,7 +435,8 @@ [1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1 <!-- 1.1.z patch releases --> -[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.7...release-1.1 +[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.8...release-1.1 +[1.1.8]: https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.8 [1.1.7]: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7 [1.1.6]: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6 [1.1.5]: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/Dockerfile new/runc-1.1.8/Dockerfile --- old/runc-1.1.7/Dockerfile 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/Dockerfile 2023-07-19 07:15:32.000000000 +0200 @@ -1,5 +1,5 @@ ARG GO_VERSION=1.20 -ARG BATS_VERSION=v1.3.0 +ARG BATS_VERSION=v1.9.0 ARG LIBSECCOMP_VERSION=2.5.4 FROM golang:${GO_VERSION}-bullseye @@ -9,19 +9,16 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \ wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \ && echo "deb [signed-by=$KEYFILE] $CRIU_REPO/ /" > /etc/apt/sources.list.d/criu.list \ - && dpkg --add-architecture armel \ - && dpkg --add-architecture armhf \ - && dpkg --add-architecture arm64 \ - && dpkg --add-architecture ppc64el \ && apt-get update \ && apt-get install -y --no-install-recommends \ build-essential \ criu \ - crossbuild-essential-arm64 \ - crossbuild-essential-armel \ - crossbuild-essential-armhf \ - crossbuild-essential-ppc64el \ - crossbuild-essential-s390x \ + gcc-aarch64-linux-gnu libc-dev-arm64-cross \ + gcc-arm-linux-gnueabi libc-dev-armel-cross \ + gcc-arm-linux-gnueabihf libc-dev-armhf-cross \ + gcc-powerpc64le-linux-gnu libc-dev-ppc64el-cross \ + gcc-s390x-linux-gnu libc-dev-s390x-cross \ + gcc-riscv64-linux-gnu libc-dev-riscv64-cross \ curl \ gawk \ gcc \ @@ -54,9 +51,9 @@ # install libseccomp ARG LIBSECCOMP_VERSION -COPY script/* /tmp/script/ +COPY script/seccomp.sh script/lib.sh /tmp/script/ RUN mkdir -p /opt/libseccomp \ - && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp arm64 armel armhf ppc64le s390x + && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp arm64 armel armhf ppc64le riscv64 s390x ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION ENV LD_LIBRARY_PATH=/opt/libseccomp/lib ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/Makefile new/runc-1.1.8/Makefile --- old/runc-1.1.7/Makefile 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/Makefile 2023-07-19 07:15:32.000000000 +0200 @@ -10,23 +10,51 @@ RUNC_IMAGE := runc_dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN)) PROJECT := github.com/opencontainers/runc BUILDTAGS ?= seccomp + COMMIT ?= $(shell git describe --dirty --long --always) VERSION := $(shell cat ./VERSION) +LDFLAGS_COMMON := -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) + +GOARCH := $(shell $(GO) env GOARCH) -ifeq ($(shell $(GO) env GOOS),linux) - ifeq (,$(filter $(shell $(GO) env GOARCH),mips mipsle mips64 mips64le ppc64)) - ifeq (,$(findstring -race,$(EXTRA_FLAGS))) - GO_BUILDMODE := "-buildmode=pie" - endif +GO_BUILDMODE := +# Enable dynamic PIE executables on supported platforms. +ifneq (,$(filter $(GOARCH),386 amd64 arm arm64 ppc64le riscv64 s390x)) + ifeq (,$(findstring -race,$(EXTRA_FLAGS))) + GO_BUILDMODE := "-buildmode=pie" + endif +endif +GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) \ + $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ + -ldflags "$(LDFLAGS_COMMON) $(EXTRA_LDFLAGS)" + +GO_BUILDMODE_STATIC := +LDFLAGS_STATIC := -extldflags -static +# Enable static PIE executables on supported platforms. +# This (among the other things) requires libc support (rcrt1.o), which seems +# to be available only for arm64 and amd64 (Debian Bullseye). +ifneq (,$(filter $(GOARCH),arm64 amd64)) + ifeq (,$(findstring -race,$(EXTRA_FLAGS))) + GO_BUILDMODE_STATIC := -buildmode=pie + LDFLAGS_STATIC := -linkmode external -extldflags --static-pie endif endif -GO_BUILD := $(GO) build -trimpath $(GO_BUILDMODE) $(EXTRA_FLAGS) -tags "$(BUILDTAGS)" \ - -ldflags "-X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)" -GO_BUILD_STATIC := CGO_ENABLED=1 $(GO) build -trimpath $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ - -ldflags "-extldflags -static -X main.gitCommit=$(COMMIT) -X main.version=$(VERSION) $(EXTRA_LDFLAGS)" +# Enable static PIE binaries on supported platforms. +GO_BUILD_STATIC := $(GO) build -trimpath $(GO_BUILDMODE_STATIC) \ + $(EXTRA_FLAGS) -tags "$(BUILDTAGS) netgo osusergo" \ + -ldflags "$(LDFLAGS_COMMON) $(LDFLAGS_STATIC) $(EXTRA_LDFLAGS)" GPG_KEYID ?= [email protected] +# Some targets need cgo, which is disabled by default when cross compiling. +# Enable cgo explicitly for those. +# Both runc and libcontainer/integration need libcontainer/nsenter. +runc static localunittest: export CGO_ENABLED=1 +# seccompagent needs libseccomp (when seccomp build tag is set). +ifneq (,$(filter $(BUILDTAGS),seccomp)) +seccompagent: export CGO_ENABLED=1 +endif + .DEFAULT: runc runc: @@ -40,7 +68,7 @@ static: $(GO_BUILD_STATIC) -o runc . -releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a s390x" +releaseall: RELEASE_ARGS := "-a arm64 -a armel -a armhf -a ppc64le -a riscv64 -a s390x" releaseall: release release: runcimage diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/VERSION new/runc-1.1.8/VERSION --- old/runc-1.1.7/VERSION 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/VERSION 2023-07-19 07:15:32.000000000 +0200 @@ -1 +1 @@ -1.1.7 +1.1.8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/Vagrantfile.fedora new/runc-1.1.8/Vagrantfile.fedora --- old/runc-1.1.7/Vagrantfile.fedora 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/Vagrantfile.fedora 2023-07-19 07:15:32.000000000 +0200 @@ -3,7 +3,7 @@ Vagrant.configure("2") do |config| # Fedora box is used for testing cgroup v2 support - config.vm.box = "fedora/37-cloud-base" + config.vm.box = "fedora/38-cloud-base" config.vm.provider :virtualbox do |v| v.memory = 2048 v.cpus = 2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/docs/systemd.md new/runc-1.1.8/docs/systemd.md --- old/runc-1.1.7/docs/systemd.md 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/docs/systemd.md 2023-07-19 07:15:32.000000000 +0200 @@ -123,8 +123,8 @@ * `TimeoutStopSec` to 2 minutes and 3 seconds; * `CollectMode` to "inactive-or-failed". -The values must be in the gvariant format (for details, see -[gvariant documentation](https://developer.gnome.org/glib/stable/gvariant-text.html)). +The values must be in the gvariant text format, as described in +[gvariant documentation](https://docs.gtk.org/glib/gvariant-text.html). To find out which type systemd expects for a particular parameter, please consult systemd sources. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/libcontainer/cgroups/systemd/common.go new/runc-1.1.8/libcontainer/cgroups/systemd/common.go --- old/runc-1.1.7/libcontainer/cgroups/systemd/common.go 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/libcontainer/cgroups/systemd/common.go 2023-07-19 07:15:32.000000000 +0200 @@ -370,7 +370,10 @@ // In case a unit with the same name exists, this may // be a leftover failed unit. Reset it, so systemd can // remove it, and retry once. - resetFailedUnit(cm, unitName) + err = resetFailedUnit(cm, unitName) + if err != nil { + logrus.Warnf("unable to reset failed unit: %v", err) + } retry = false goto retry } @@ -385,11 +388,11 @@ close(statusChan) // Please refer to https://pkg.go.dev/github.com/coreos/go-systemd/v22/dbus#Conn.StartUnit if s != "done" { - resetFailedUnit(cm, unitName) + _ = resetFailedUnit(cm, unitName) return fmt.Errorf("error creating systemd unit `%s`: got `%s`", unitName, s) } case <-timeout.C: - resetFailedUnit(cm, unitName) + _ = resetFailedUnit(cm, unitName) return errors.New("Timeout waiting for systemd to create " + unitName) } @@ -417,16 +420,17 @@ return errors.New("Timed out while waiting for systemd to remove " + unitName) } } + + // In case of a failed unit, let systemd remove it. + _ = resetFailedUnit(cm, unitName) + return nil } -func resetFailedUnit(cm *dbusConnManager, name string) { - err := cm.retryOnDisconnect(func(c *systemdDbus.Conn) error { +func resetFailedUnit(cm *dbusConnManager, name string) error { + return cm.retryOnDisconnect(func(c *systemdDbus.Conn) error { return c.ResetFailedUnitContext(context.TODO(), name) }) - if err != nil { - logrus.Warnf("unable to reset failed unit: %v", err) - } } func getUnitTypeProperty(cm *dbusConnManager, unitName string, unitType string, propertyName string) (*systemdDbus.Property, error) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/libcontainer/cgroups/systemd/v1.go new/runc-1.1.8/libcontainer/cgroups/systemd/v1.go --- old/runc-1.1.7/libcontainer/cgroups/systemd/v1.go 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/libcontainer/cgroups/systemd/v1.go 2023-07-19 07:15:32.000000000 +0200 @@ -417,6 +417,15 @@ if err := m.doFreeze(configs.Frozen); err != nil { // If freezer cgroup isn't supported, we just warn about it. logrus.Infof("freeze container before SetUnitProperties failed: %v", err) + // skip update the cgroup while frozen failed. #3803 + if !errors.Is(err, errSubsystemDoesNotExist) { + if needsThaw { + if thawErr := m.doFreeze(configs.Thawed); thawErr != nil { + logrus.Infof("thaw container after doFreeze failed: %v", thawErr) + } + } + return err + } } } setErr := setUnitProperties(m.dbus, unitName, properties...) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/libcontainer/container_linux.go new/runc-1.1.8/libcontainer/container_linux.go --- old/runc-1.1.7/libcontainer/container_linux.go 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/libcontainer/container_linux.go 2023-07-19 07:15:32.000000000 +0200 @@ -146,19 +146,21 @@ return c.currentOCIState() } -func (c *linuxContainer) Processes() ([]int, error) { - var pids []int - status, err := c.currentStatus() - if err != nil { - return pids, err +// ignoreCgroupError filters out cgroup-related errors that can be ignored, +// because the container is stopped and its cgroup is gone. +func (c *linuxContainer) ignoreCgroupError(err error) error { + if err == nil { + return nil } - // for systemd cgroup, the unit's cgroup path will be auto removed if container's all processes exited - if status == Stopped && !c.cgroupManager.Exists() { - return pids, nil + if errors.Is(err, os.ErrNotExist) && c.runType() == Stopped && !c.cgroupManager.Exists() { + return nil } + return err +} - pids, err = c.cgroupManager.GetAllPids() - if err != nil { +func (c *linuxContainer) Processes() ([]int, error) { + pids, err := c.cgroupManager.GetAllPids() + if err = c.ignoreCgroupError(err); err != nil { return nil, fmt.Errorf("unable to get all container pids: %w", err) } return pids, nil @@ -382,11 +384,12 @@ return err } if all { - // for systemd cgroup, the unit's cgroup path will be auto removed if container's all processes exited if status == Stopped && !c.cgroupManager.Exists() { + // Avoid calling signalAllProcesses which may print + // a warning trying to freeze a non-existing cgroup. return nil } - return signalAllProcesses(c.cgroupManager, s) + return c.ignoreCgroupError(signalAllProcesses(c.cgroupManager, s)) } // to avoid a PID reuse attack if status == Running || status == Created || status == Paused { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/libcontainer/init_linux.go new/runc-1.1.8/libcontainer/init_linux.go --- old/runc-1.1.7/libcontainer/init_linux.go 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/libcontainer/init_linux.go 2023-07-19 07:15:32.000000000 +0200 @@ -116,17 +116,17 @@ for _, pair := range env { p := strings.SplitN(pair, "=", 2) if len(p) < 2 { - return fmt.Errorf("invalid environment variable: %q", pair) + return errors.New("invalid environment variable: missing '='") } name, val := p[0], p[1] if name == "" { - return fmt.Errorf("environment variable name can't be empty: %q", pair) + return errors.New("invalid environment variable: name cannot be empty") } if strings.IndexByte(name, 0) >= 0 { - return fmt.Errorf("environment variable name can't contain null(\\x00): %q", pair) + return fmt.Errorf("invalid environment variable %q: name contains nul byte (\\x00)", name) } if strings.IndexByte(val, 0) >= 0 { - return fmt.Errorf("environment variable value can't contain null(\\x00): %q", pair) + return fmt.Errorf("invalid environment variable %q: value contains nul byte (\\x00)", name) } if err := os.Setenv(name, val); err != nil { return err diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/libcontainer/rootfs_linux.go new/runc-1.1.8/libcontainer/rootfs_linux.go --- old/runc-1.1.7/libcontainer/rootfs_linux.go 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/libcontainer/rootfs_linux.go 2023-07-19 07:15:32.000000000 +0200 @@ -459,11 +459,16 @@ } return label.SetFileLabel(dest, mountLabel) case "tmpfs": - stat, err := os.Stat(dest) - if err != nil { + if stat, err := os.Stat(dest); err != nil { if err := os.MkdirAll(dest, 0o755); err != nil { return err } + } else { + dt := fmt.Sprintf("mode=%04o", stat.Mode()) + if m.Data != "" { + dt = dt + "," + m.Data + } + m.Data = dt } if m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP { @@ -472,16 +477,7 @@ err = mountPropagate(m, rootfs, mountLabel, nil) } - if err != nil { - return err - } - - if stat != nil { - if err = os.Chmod(dest, stat.Mode()); err != nil { - return err - } - } - return nil + return err case "bind": if err := prepareBindMount(m, rootfs, mountFd); err != nil { return err diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/libcontainer/seccomp/config.go new/runc-1.1.8/libcontainer/seccomp/config.go --- old/runc-1.1.7/libcontainer/seccomp/config.go 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/libcontainer/seccomp/config.go 2023-07-19 07:15:32.000000000 +0200 @@ -66,6 +66,7 @@ "SCMP_ARCH_PPC": "ppc", "SCMP_ARCH_PPC64": "ppc64", "SCMP_ARCH_PPC64LE": "ppc64le", + "SCMP_ARCH_RISCV64": "riscv64", "SCMP_ARCH_S390": "s390", "SCMP_ARCH_S390X": "s390x", } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/libcontainer/seccomp/patchbpf/enosys_linux.go new/runc-1.1.8/libcontainer/seccomp/patchbpf/enosys_linux.go --- old/runc-1.1.7/libcontainer/seccomp/patchbpf/enosys_linux.go 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/libcontainer/seccomp/patchbpf/enosys_linux.go 2023-07-19 07:15:32.000000000 +0200 @@ -48,6 +48,13 @@ #endif const uintptr_t C_FILTER_FLAG_NEW_LISTENER = SECCOMP_FILTER_FLAG_NEW_LISTENER; +#ifndef AUDIT_ARCH_RISCV64 +#ifndef EM_RISCV +#define EM_RISCV 243 +#endif +#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif + // We use the AUDIT_ARCH_* values because those are the ones used by the kernel // and SCMP_ARCH_* sometimes has fake values (such as SCMP_ARCH_X32). But we // use <seccomp.h> so we get libseccomp's fallback definitions of AUDIT_ARCH_*. @@ -67,6 +74,7 @@ const uint32_t C_AUDIT_ARCH_PPC64LE = AUDIT_ARCH_PPC64LE; const uint32_t C_AUDIT_ARCH_S390 = AUDIT_ARCH_S390; const uint32_t C_AUDIT_ARCH_S390X = AUDIT_ARCH_S390X; +const uint32_t C_AUDIT_ARCH_RISCV64 = AUDIT_ARCH_RISCV64; */ import "C" @@ -202,6 +210,8 @@ return nativeArch(C.C_AUDIT_ARCH_S390), nil case libseccomp.ArchS390X: return nativeArch(C.C_AUDIT_ARCH_S390X), nil + case libseccomp.ArchRISCV64: + return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil default: return invalidArch, fmt.Errorf("unknown architecture: %v", arch) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/man/runc.8.md new/runc-1.1.8/man/runc.8.md --- old/runc-1.1.7/man/runc.8.md 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/man/runc.8.md 2023-07-19 07:15:32.000000000 +0200 @@ -40,20 +40,16 @@ : Create a container. See **runc-create**(8). **delete** -: Delete any resources held by the container often used with detached +: Delete any resources held by the container; often used with detached containers. See **runc-delete**(8). **events** -: Display container events such as OOM notifications, cpu, memory, IO and -network stats. See **runc-events**(8). +: Display container events, such as OOM notifications, CPU, memory, I/O and +network statistics. See **runc-events**(8). **exec** : Execute a new process inside the container. See **runc-exec**(8). -**init** -: Initialize the namespaces and launch the container init process. This command -is not supposed to be used directly. - **kill** : Send a specified signal to the container's init process. See **runc-kill**(8). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/script/lib.sh new/runc-1.1.8/script/lib.sh --- old/runc-1.1.7/script/lib.sh 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/script/lib.sh 2023-07-19 07:15:32.000000000 +0200 @@ -23,6 +23,9 @@ ppc64le) HOST=powerpc64le-linux-gnu ;; + riscv64) + HOST=riscv64-linux-gnu + ;; s390x) HOST=s390x-linux-gnu ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/tests/integration/cgroups.bats new/runc-1.1.8/tests/integration/cgroups.bats --- old/runc-1.1.7/tests/integration/cgroups.bats 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/tests/integration/cgroups.bats 2023-07-19 07:15:32.000000000 +0200 @@ -49,8 +49,8 @@ if [ "$(id -u)" = "0" ]; then check_cgroup_value "cgroup.controllers" "$(cat /sys/fs/cgroup/machine.slice/cgroup.controllers)" else - # Filter out hugetlb and misc as systemd is unable to delegate them. - check_cgroup_value "cgroup.controllers" "$(sed -e 's/ hugetlb//' -e 's/ misc//' </sys/fs/cgroup/user.slice/user-"$(id -u)".slice/cgroup.controllers)" + # Filter out controllers that systemd is unable to delegate. + check_cgroup_value "cgroup.controllers" "$(sed 's/ \(hugetlb\|misc\|rdma\)//g' </sys/fs/cgroup/user.slice/user-"$(id -u)".slice/cgroup.controllers)" fi else check_cgroup_value "cgroup.controllers" "$(cat /sys/fs/cgroup/cgroup.controllers)" @@ -233,7 +233,6 @@ set_cgroups_path # CPU shares of 3333 corresponds to CPU weight of 128. update_config ' .linux.resources.memory |= {"limit": 33554432} - | .linux.resources.memorySwap |= {"limit": 33554432} | .linux.resources.cpu |= { "shares": 3333, "quota": 40000, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/tests/integration/checkpoint.bats new/runc-1.1.8/tests/integration/checkpoint.bats --- old/runc-1.1.7/tests/integration/checkpoint.bats 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/tests/integration/checkpoint.bats 2023-07-19 07:15:32.000000000 +0200 @@ -344,7 +344,7 @@ runc checkpoint --work-path ./work-dir test_busybox grep -B 5 Error ./work-dir/dump.log || true [ "$status" -eq 0 ] - ! test -f ./work-dir/"$tmplog1" + run ! test -f ./work-dir/"$tmplog1" test -f ./work-dir/"$tmplog2" # after checkpoint busybox is no longer running @@ -355,7 +355,7 @@ runc restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox grep -B 5 Error ./work-dir/restore.log || true [ "$status" -eq 0 ] - ! test -f ./work-dir/"$tmplog1" + run ! test -f ./work-dir/"$tmplog1" test -f ./work-dir/"$tmplog2" # busybox should be back up and running diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/tests/integration/delete.bats new/runc-1.1.8/tests/integration/delete.bats --- old/runc-1.1.7/tests/integration/delete.bats 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/tests/integration/delete.bats 2023-07-19 07:15:32.000000000 +0200 @@ -168,3 +168,30 @@ # check delete subcgroups success [ ! -d "$CGROUP_PATH"/foo ] } + +@test "runc delete removes failed systemd unit" { + requires systemd_v244 # Older systemd lacks RuntimeMaxSec support. + + set_cgroups_path + # shellcheck disable=SC2016 + update_config ' .annotations += { + "org.systemd.property.RuntimeMaxSec": "2", + "org.systemd.property.TimeoutStopSec": "1" + } + | .process.args |= ["/bin/sleep", "10"]' + + runc run -d --console-socket "$CONSOLE_SOCKET" test-failed-unit + [ "$status" -eq 0 ] + + wait_for_container 10 1 test-failed-unit stopped + + local user="" + [ $EUID -ne 0 ] && user="--user" + + # Expect "unit is not active" exit code. + run -3 systemctl status $user "$SD_UNIT_NAME" + + runc delete test-failed-unit + # Expect "no such unit" exit code. + run -4 systemctl status $user "$SD_UNIT_NAME" +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/tests/integration/events.bats new/runc-1.1.8/tests/integration/events.bats --- old/runc-1.1.7/tests/integration/events.bats 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/tests/integration/events.bats 2023-07-19 07:15:32.000000000 +0200 @@ -93,7 +93,7 @@ retry 10 1 grep -q test_busybox events.log # shellcheck disable=SC2016 __runc exec -d test_busybox sh -c 'test=$(dd if=/dev/urandom ibs=5120k)' - retry 10 1 grep -q oom events.log + retry 30 1 grep -q oom events.log __runc delete -f test_busybox ) & wait # wait for the above sub shells to finish diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/tests/integration/exec.bats new/runc-1.1.8/tests/integration/exec.bats --- old/runc-1.1.7/tests/integration/exec.bats 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/tests/integration/exec.bats 2023-07-19 07:15:32.000000000 +0200 @@ -235,12 +235,12 @@ # Check we can join top-level cgroup (implicit). runc exec test_busybox cat /proc/self/cgroup [ "$status" -eq 0 ] - ! grep -v ":$REL_CGROUPS_PATH\$" <<<"$output" + run ! grep -v ":$REL_CGROUPS_PATH\$" <<<"$output" # Check we can join top-level cgroup (explicit). runc exec --cgroup / test_busybox cat /proc/self/cgroup [ "$status" -eq 0 ] - ! grep -v ":$REL_CGROUPS_PATH\$" <<<"$output" + run ! grep -v ":$REL_CGROUPS_PATH\$" <<<"$output" # Create a few subcgroups. # Note that cpu,cpuacct may be mounted together or separate. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/tests/integration/helpers.bash new/runc-1.1.8/tests/integration/helpers.bash --- old/runc-1.1.7/tests/integration/helpers.bash 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/tests/integration/helpers.bash 2023-07-19 07:15:32.000000000 +0200 @@ -1,10 +1,6 @@ #!/bin/bash -# bats-core v1.2.1 defines BATS_RUN_TMPDIR -if [ -z "$BATS_RUN_TMPDIR" ]; then - echo "bats >= v1.2.1 is required. Aborting." >&2 - exit 1 -fi +bats_require_minimum_version 1.5.0 # Root directory of integration tests. INTEGRATION_ROOT=$(dirname "$(readlink -f "${BASH_SOURCE[0]}")") @@ -347,7 +343,7 @@ # Workaround for https://github.com/opencontainers/runc/issues/3532. local ver ver=$(rpm -q criu 2>/dev/null || true) - ! grep -q '^criu-3\.17-[123]\.el9' <<<"$ver" + run ! grep -q '^criu-3\.17-[123]\.el9' <<<"$ver" } # Allows a test to specify what things it requires. If the environment can't @@ -445,6 +441,12 @@ skip_me=1 fi ;; + systemd_v*) + var=${var#systemd_v} + if [ "$(systemd_version)" -lt "$var" ]; then + skip "requires systemd >= v${var}" + fi + ;; no_systemd) if [ -n "${RUNC_USE_SYSTEMD}" ]; then skip_me=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.7/tests/integration/run.bats new/runc-1.1.8/tests/integration/run.bats --- old/runc-1.1.7/tests/integration/run.bats 2023-04-26 23:49:01.000000000 +0200 +++ new/runc-1.1.8/tests/integration/run.bats 2023-07-19 07:15:32.000000000 +0200 @@ -58,3 +58,37 @@ runc state test_run_keep [ "$status" -ne 0 ] } + +@test "runc run with tmpfs perms" { + # shellcheck disable=SC2016 + update_config '.process.args = ["sh", "-c", "stat -c %a /tmp/test"]' + update_config '.mounts += [{"destination": "/tmp/test", "type": "tmpfs", "source": "tmpfs", "options": ["mode=0444"]}]' + + # Directory is to be created by runc. + runc run test_tmpfs + [ "$status" -eq 0 ] + [ "$output" = "444" ] + + # Run a 2nd time with the pre-existing directory. + # Ref: https://github.com/opencontainers/runc/issues/3911 + runc run test_tmpfs + [ "$status" -eq 0 ] + [ "$output" = "444" ] + + # Existing directory, custom perms, no mode on the mount, + # so it should use the directory's perms. + update_config '.mounts[-1].options = []' + chmod 0710 rootfs/tmp/test + # shellcheck disable=SC2016 + runc run test_tmpfs + [ "$status" -eq 0 ] + [ "$output" = "710" ] + + # Add back the mode on the mount, and it should use that instead. + # Just for fun, use different perms than was used earlier. + # shellcheck disable=SC2016 + update_config '.mounts[-1].options = ["mode=0410"]' + runc run test_tmpfs + [ "$status" -eq 0 ] + [ "$output" = "410" ] +}
