Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package runc for openSUSE:Factory checked in at 2022-04-02 18:20:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/runc (Old) and /work/SRC/openSUSE:Factory/.runc.new.1900 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "runc" Sat Apr 2 18:20:10 2022 rev:45 rq:965512 version:1.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/runc/runc.changes 2022-01-21 01:24:57.754775411 +0100 +++ /work/SRC/openSUSE:Factory/.runc.new.1900/runc.changes 2022-04-02 18:20:17.394443912 +0200 @@ -1,0 +2,17 @@ +Tue Mar 29 03:33:30 UTC 2022 - Aleksa Sarai <asa...@suse.com> + +- Update to runc v1.1.1. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.1. + + * runc run/start can now run a container with read-only /dev in OCI spec, + rather than error out. (#3355) + * runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403) + libcontainer systemd v2 manager no longer errors out if one of the files + listed in /sys/kernel/cgroup/delegate do not exist in container's + cgroup. (#3387, #3404) + * Loosen OCI spec validation to avoid bogus "Intel RDT is not supported" + error. (#3406) + * libcontainer/cgroups no longer panics in cgroup v1 managers if stat + of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435) + +------------------------------------------------------------------- Old: ---- runc-1.1.0.tar.xz runc-1.1.0.tar.xz.asc New: ---- runc-1.1.1.tar.xz runc-1.1.1.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ runc.spec ++++++ --- /var/tmp/diff_new_pack.Vn5V50/_old 2022-04-02 18:20:17.858438703 +0200 +++ /var/tmp/diff_new_pack.Vn5V50/_new 2022-04-02 18:20:17.862438658 +0200 @@ -18,16 +18,16 @@ # MANUAL: Make sure you update this each time you update runc. -%define git_version 605c1cb1cc0ce1492d040b5c221b35b606f9a3e0 -%define git_short 605c1cb1cc0c +%define git_version 52de29d7e0f8c0899bd7efb8810dd07f0073fa87 +%define git_short 52de29d7e0f8 # Package-wide golang version %define go_version 1.17 %define project github.com/opencontainers/runc Name: runc -Version: 1.1.0 -%define _version 1.1.0 +Version: 1.1.1 +%define _version 1.1.1 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 ++++++ runc-1.1.0.tar.xz -> runc-1.1.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/.cirrus.yml new/runc-1.1.1/.cirrus.yml --- old/runc-1.1.0/.cirrus.yml 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/.cirrus.yml 2022-03-28 21:02:47.000000000 +0200 @@ -74,6 +74,7 @@ matrix: DISTRO: centos-7 DISTRO: centos-stream-8 + DISTRO: centos-stream-9 name: ci / $DISTRO @@ -95,6 +96,10 @@ centos-stream-8) yum config-manager --set-enabled powertools # for glibc-static ;; + centos-stream-9) + dnf config-manager --set-enabled crb # for glibc-static + dnf -y install epel-release epel-next-release # for fuse-sshfs + ;; esac # Work around dnf mirror failures by retrying a few times. for i in $(seq 0 2); do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/CHANGELOG.md new/runc-1.1.1/CHANGELOG.md --- old/runc-1.1.0/CHANGELOG.md 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/CHANGELOG.md 2022-03-28 21:02:47.000000000 +0200 @@ -6,11 +6,30 @@ ## [Unreleased] +## [1.1.1] - 2022-03-28 + +> Violence is the last refuge of the incompetent. + +### Added + * CI is now also run on centos-stream-9. (#3436) + +### Fixed + * `runc run/start` can now run a container with read-only `/dev` in OCI spec, + rather than error out. (#3355) + * `runc exec` now ensures that `--cgroup` argument is a sub-cgroup. (#3403) + * libcontainer systemd v2 manager no longer errors out if one of the files + listed in `/sys/kernel/cgroup/delegate` do not exist in container's cgroup. + (#3387, #3404) + * Loose OCI spec validation to avoid bogus "Intel RDT is not supported" error. + (#3406) + * libcontainer/cgroups no longer panics in cgroup v1 managers if `stat` + of `/sys/fs/cgroup/unified` returns an error other than ENOENT. (#3435) + ## [1.1.0] - 2022-01-14 > A plan depends as much upon execution as it does upon concept. -## Changed +### Changed * libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and @@ -233,7 +252,8 @@ cgroups at all during `runc update`). (#2994) <!-- minor releases --> -[Unreleased]: https://github.com/opencontainers/runc/compare/v1.1.0...HEAD +[Unreleased]: https://github.com/opencontainers/runc/compare/v1.1.1...HEAD +[1.1.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.1.1 [1.1.0]: https://github.com/opencontainers/runc/compare/v1.1.0-rc.1...v1.1.0 [1.0.0]: https://github.com/opencontainers/runc/releases/tag/v1.0.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/README.md new/runc-1.1.1/README.md --- old/runc-1.1.0/README.md 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/README.md 2022-03-28 21:02:47.000000000 +0200 @@ -1,10 +1,11 @@ # runc [](https://goreportcard.com/report/github.com/opencontainers/runc) -[](https://godoc.org/github.com/opencontainers/runc) +[](https://pkg.go.dev/github.com/opencontainers/runc) [](https://bestpractices.coreinfrastructure.org/projects/588) [](https://github.com/opencontainers/runc/actions?query=workflow%3Avalidate) [](https://github.com/opencontainers/runc/actions?query=workflow%3Aci) +[](https://cirrus-ci.com/github/opencontainers/runc) ## Introduction diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/VERSION new/runc-1.1.1/VERSION --- old/runc-1.1.0/VERSION 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/VERSION 2022-03-28 21:02:47.000000000 +0200 @@ -1 +1 @@ -1.1.0 +1.1.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/libcontainer/README.md new/runc-1.1.1/libcontainer/README.md --- old/runc-1.1.0/libcontainer/README.md 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/libcontainer/README.md 2022-03-28 21:02:47.000000000 +0200 @@ -1,6 +1,6 @@ # libcontainer -[](https://godoc.org/github.com/opencontainers/runc/libcontainer) +[](https://pkg.go.dev/github.com/opencontainers/runc/libcontainer) Libcontainer provides a native Go implementation for creating containers with namespaces, cgroups, capabilities, and filesystem access controls. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/libcontainer/cgroups/systemd/v2.go new/runc-1.1.1/libcontainer/cgroups/systemd/v2.go --- old/runc-1.1.0/libcontainer/cgroups/systemd/v2.go 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/libcontainer/cgroups/systemd/v2.go 2022-03-28 21:02:47.000000000 +0200 @@ -2,6 +2,7 @@ import ( "bufio" + "errors" "fmt" "math" "os" @@ -292,6 +293,12 @@ } if c.OwnerUID != nil { + // The directory itself must be chowned. + err := os.Chown(m.path, *c.OwnerUID, -1) + if err != nil { + return err + } + filesToChown, err := cgroupFilesToChown() if err != nil { return err @@ -299,7 +306,8 @@ for _, v := range filesToChown { err := os.Chown(m.path+"/"+v, *c.OwnerUID, -1) - if err != nil { + // Some files might not be present. + if err != nil && !errors.Is(err, os.ErrNotExist) { return err } } @@ -312,21 +320,23 @@ // uid in /sys/kernel/cgroup/delegate. If the file is not present // (Linux < 4.15), use the initial values mentioned in cgroups(7). func cgroupFilesToChown() ([]string, error) { - filesToChown := []string{"."} // the directory itself must be chowned const cgroupDelegateFile = "/sys/kernel/cgroup/delegate" + f, err := os.Open(cgroupDelegateFile) - if err == nil { - defer f.Close() - scanner := bufio.NewScanner(f) - for scanner.Scan() { - filesToChown = append(filesToChown, scanner.Text()) - } - if err := scanner.Err(); err != nil { - return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err) - } - } else { - filesToChown = append(filesToChown, "cgroup.procs", "cgroup.subtree_control", "cgroup.threads") + if err != nil { + return []string{"cgroup.procs", "cgroup.subtree_control", "cgroup.threads"}, nil } + defer f.Close() + + filesToChown := []string{} + scanner := bufio.NewScanner(f) + for scanner.Scan() { + filesToChown = append(filesToChown, scanner.Text()) + } + if err := scanner.Err(); err != nil { + return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err) + } + return filesToChown, nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/libcontainer/cgroups/utils.go new/runc-1.1.1/libcontainer/cgroups/utils.go --- old/runc-1.1.0/libcontainer/cgroups/utils.go 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/libcontainer/cgroups/utils.go 2022-03-28 21:02:47.000000000 +0200 @@ -55,12 +55,12 @@ var st unix.Statfs_t err := unix.Statfs(hybridMountpoint, &st) if err != nil { - if os.IsNotExist(err) { - // ignore the "not found" error - isHybrid = false - return + isHybrid = false + if !os.IsNotExist(err) { + // Report unexpected errors. + logrus.WithError(err).Debugf("statfs(%q) failed", hybridMountpoint) } - panic(fmt.Sprintf("cannot statfs cgroup root: %s", err)) + return } isHybrid = st.Type == unix.CGROUP2_SUPER_MAGIC }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/libcontainer/configs/validate/validator.go new/runc-1.1.1/libcontainer/configs/validate/validator.go --- old/runc-1.1.0/libcontainer/configs/validate/validator.go 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/libcontainer/configs/validate/validator.go 2022-03-28 21:02:47.000000000 +0200 @@ -229,10 +229,6 @@ func (v *ConfigValidator) intelrdt(config *configs.Config) error { if config.IntelRdt != nil { - if !intelrdt.IsCATEnabled() && !intelrdt.IsMBAEnabled() { - return errors.New("intelRdt is specified in config, but Intel RDT is not supported or enabled") - } - if config.IntelRdt.ClosID == "." || config.IntelRdt.ClosID == ".." || strings.Contains(config.IntelRdt.ClosID, "/") { return fmt.Errorf("invalid intelRdt.ClosID %q", config.IntelRdt.ClosID) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/libcontainer/container_linux.go new/runc-1.1.1/libcontainer/container_linux.go --- old/runc-1.1.0/libcontainer/container_linux.go 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/libcontainer/container_linux.go 2022-03-28 21:02:47.000000000 +0200 @@ -636,7 +636,11 @@ // cgroup v1: using the same path for all controllers. // cgroup v2: the only possible way. for k := range proc.cgroupPaths { - proc.cgroupPaths[k] = path.Join(proc.cgroupPaths[k], add) + subPath := path.Join(proc.cgroupPaths[k], add) + if !strings.HasPrefix(subPath, proc.cgroupPaths[k]) { + return nil, fmt.Errorf("%s is not a sub cgroup path", add) + } + proc.cgroupPaths[k] = subPath } // cgroup v2: do not try to join init process's cgroup // as a fallback (see (*setnsProcess).start). @@ -645,7 +649,11 @@ // Per-controller paths. for ctrl, add := range p.SubCgroupPaths { if val, ok := proc.cgroupPaths[ctrl]; ok { - proc.cgroupPaths[ctrl] = path.Join(val, add) + subPath := path.Join(val, add) + if !strings.HasPrefix(subPath, val) { + return nil, fmt.Errorf("%s is not a sub cgroup path", add) + } + proc.cgroupPaths[ctrl] = subPath } else { return nil, fmt.Errorf("unknown controller %s in SubCgroupPaths", ctrl) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/libcontainer/init_linux.go new/runc-1.1.1/libcontainer/init_linux.go --- old/runc-1.1.0/libcontainer/init_linux.go 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/libcontainer/init_linux.go 2022-03-28 21:02:47.000000000 +0200 @@ -8,7 +8,6 @@ "io" "net" "os" - "strconv" "strings" "unsafe" @@ -406,40 +405,36 @@ if err := unix.Stat("/dev/null", &null); err != nil { return &os.PathError{Op: "stat", Path: "/dev/null", Err: err} } - for _, fd := range []uintptr{ - os.Stdin.Fd(), - os.Stderr.Fd(), - os.Stdout.Fd(), - } { + for _, file := range []*os.File{os.Stdin, os.Stdout, os.Stderr} { var s unix.Stat_t - if err := unix.Fstat(int(fd), &s); err != nil { - return &os.PathError{Op: "fstat", Path: "fd " + strconv.Itoa(int(fd)), Err: err} + if err := unix.Fstat(int(file.Fd()), &s); err != nil { + return &os.PathError{Op: "fstat", Path: file.Name(), Err: err} } - // Skip chown of /dev/null if it was used as one of the STDIO fds. - if s.Rdev == null.Rdev { + // Skip chown if uid is already the one we want. + if int(s.Uid) == u.Uid { continue } - // We only change the uid owner (as it is possible for the mount to + // We only change the uid (as it is possible for the mount to // prefer a different gid, and there's no reason for us to change it). // The reason why we don't just leave the default uid=X mount setup is // that users expect to be able to actually use their console. Without // this code, you couldn't effectively run as a non-root user inside a // container and also have a console set up. - if err := unix.Fchown(int(fd), u.Uid, int(s.Gid)); err != nil { + if err := file.Chown(u.Uid, int(s.Gid)); err != nil { // If we've hit an EINVAL then s.Gid isn't mapped in the user // namespace. If we've hit an EPERM then the inode's current owner // is not mapped in our user namespace (in particular, - // privileged_wrt_inode_uidgid() has failed). In either case, we - // are in a configuration where it's better for us to just not - // touch the stdio rather than bail at this point. + // privileged_wrt_inode_uidgid() has failed). Read-only + // /dev can result in EROFS error. In any case, it's + // better for us to just not touch the stdio rather + // than bail at this point. - // nolint:errorlint // unix errors are bare - if err == unix.EINVAL || err == unix.EPERM { + if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) || errors.Is(err, unix.EROFS) { continue } - return &os.PathError{Op: "fchown", Path: "fd " + strconv.Itoa(int(fd)), Err: err} + return err } } return nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.0/tests/integration/exec.bats new/runc-1.1.1/tests/integration/exec.bats --- old/runc-1.1.0/tests/integration/exec.bats 2022-01-17 09:16:31.000000000 +0100 +++ new/runc-1.1.1/tests/integration/exec.bats 2022-03-28 21:02:47.000000000 +0200 @@ -197,6 +197,11 @@ __runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running + # Check we can't join parent cgroup. + runc exec --cgroup ".." test_busybox cat /proc/self/cgroup + [ "$status" -ne 0 ] + [[ "$output" == *" .. is not a sub cgroup path"* ]] + # Check we can't join non-existing subcgroup. runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup [ "$status" -ne 0 ] @@ -243,6 +248,11 @@ __runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox testcontainer test_busybox running + # Check we can't join parent cgroup. + runc exec --cgroup ".." test_busybox cat /proc/self/cgroup + [ "$status" -ne 0 ] + [[ "$output" == *" .. is not a sub cgroup path"* ]] + # Check we can't join non-existing subcgroup. runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup [ "$status" -ne 0 ]
