Hello community, here is the log from the commit of package docker-runc for openSUSE:Leap:15.2 checked in at 2020-06-20 06:22:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/docker-runc (Old) and /work/SRC/openSUSE:Leap:15.2/.docker-runc.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker-runc" Sat Jun 20 06:22:35 2020 rev:43 rq:815927 version:1.0.0rc10+gitr3981_dc9208a3303f Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/docker-runc/docker-runc.changes 2020-05-31 13:45:34.253646062 +0200 +++ /work/SRC/openSUSE:Leap:15.2/.docker-runc.new.3606/docker-runc.changes 2020-06-21 19:35:51.993813445 +0200 @@ -1,0 +2,12 @@ +Tue Jun 2 11:21:30 UTC 2020 - Aleksa Sarai <[email protected]> + +- Update to runc v1.0.0-rc10, which is required for Docker 19.03.11-ce. + bsc#1172377 +- Remove upstreamed patches: + - CVE-2019-16884.patch + - CVE-2019-19921.patch +- Synchronise patches with 'runc' package: + + bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch + * bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch + +------------------------------------------------------------------- Old: ---- CVE-2019-16884.patch CVE-2019-19921.patch docker-runc-git.3e425f80a8c9.tar.xz New: ---- bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch docker-runc-git.dc9208a3303f.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker-runc.spec ++++++ --- /var/tmp/diff_new_pack.DwcjI3/_old 2020-06-21 19:35:52.357815173 +0200 +++ /var/tmp/diff_new_pack.DwcjI3/_new 2020-06-21 19:35:52.361815192 +0200 @@ -29,21 +29,17 @@ %endif # MANUAL: Update the git_version, git_short, and git_revision -%define git_version 3e425f80a8c931f88e6d94a8c831b9d5aa481657 -%define git_short 3e425f80a8c9 -# How to get the git_revision -# git clone ${url}.git runc-upstream -# cd runc-upstream -# git checkout $git_version -# git_revision=r$(git rev-list HEAD | wc -l) -%define git_revision r3917 +%define git_version dc9208a3303feef5b3839f4323d9beb36df0a9dd +%define git_short dc9208a3303f +# git_revision=r$(git rev-list $COMMIT_ID | wc -l) +%define git_revision r3981 %define go_tool go %define _name runc %define project github.com/opencontainers/%{_name} Name: %{realname}%{name_suffix} -Version: 1.0.0rc8+git%{git_revision}_%{git_short} +Version: 1.0.0rc10+git%{git_revision}_%{git_short} Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -51,12 +47,10 @@ URL: https://github.com/opencontainers/runc Source: %{realname}-git.%{git_short}.tar.xz Source1: %{realname}-rpmlintrc -# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2130. -Patch1: CVE-2019-16884.patch -# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2207. -Patch2: CVE-2019-19921.patch +# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1807. bsc#1149954 +Patch0: bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch # FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2391. bsc#1168481 -Patch3: bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch +Patch1: bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch BuildRequires: fdupes BuildRequires: go-go-md2man BuildRequires: libapparmor-devel @@ -93,12 +87,10 @@ %prep %setup -q -n %{realname}-git.%{git_short} -# CVE-2019-16884 bsc#1152308 -%patch1 -p1 -# CVE-2019-19921 -%patch2 -p1 +# bsc#1149954 +%patch0 -p1 # bsc#1168481 -%patch3 -p1 +%patch1 -p1 %build # Do not use symlinks. If you want to run the unit tests for this package at ++++++ _service ++++++ --- /var/tmp/diff_new_pack.DwcjI3/_old 2020-06-21 19:35:52.389815325 +0200 +++ /var/tmp/diff_new_pack.DwcjI3/_new 2020-06-21 19:35:52.393815344 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="filename">docker-runc</param> <param name="versionformat">git.%h</param> - <param name="revision">3e425f80a8c931f88e6d94a8c831b9d5aa481657</param> + <param name="revision">dc9208a3303feef5b3839f4323d9beb36df0a9dd</param> <param name="exclude">.git</param> </service> <service name="recompress" mode="disabled"> ++++++ bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch ++++++ >From 5d13416879fe0f50c300d94c569ea77950cbee94 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano <[email protected]> Date: Fri, 25 May 2018 18:04:06 +0200 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create if NOTIFY_SOCKET is used, do not block the main runc process waiting for events on the notify socket. Bind mount the parent directory of the notify socket, so that "start" can create the socket and it is still accessible from the container. Signed-off-by: Giuseppe Scrivano <[email protected]> (cherry picked from commit 25fd4a67571992b9121f77d2a4f0d89d4375f383) --- notify_socket.go | 132 +++++++++++++++++++++++++++++++++-------------- signals.go | 4 +- start.go | 13 ++++- utils_linux.go | 12 ++++- 4 files changed, 116 insertions(+), 45 deletions(-) diff --git a/notify_socket.go b/notify_socket.go index e7453c62..f313a7a6 100644 --- a/notify_socket.go +++ b/notify_socket.go @@ -7,11 +7,13 @@ import ( "fmt" "net" "os" + "path" "path/filepath" + "strconv" + "time" + "github.com/opencontainers/runc/libcontainer" "github.com/opencontainers/runtime-spec/specs-go" - - "github.com/sirupsen/logrus" "github.com/urfave/cli" ) @@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) * } root := filepath.Join(context.GlobalString("root"), id) - path := filepath.Join(root, "notify.sock") + socketPath := filepath.Join(root, "notify", "notify.sock") notifySocket := ¬ifySocket{ socket: nil, host: notifySocketHost, - socketPath: path, + socketPath: socketPath, } return notifySocket @@ -44,13 +46,19 @@ func (s *notifySocket) Close() error { // If systemd is supporting sd_notify protocol, this function will add support // for sd_notify protocol from within the container. -func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) { - mount := specs.Mount{Destination: s.host, Source: s.socketPath, Options: []string{"bind"}} +func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) error { + pathInContainer := filepath.Join("/run/notify", path.Base(s.socketPath)) + mount := specs.Mount{ + Destination: path.Dir(pathInContainer), + Source: path.Dir(s.socketPath), + Options: []string{"bind", "nosuid", "noexec", "nodev", "ro"}, + } spec.Mounts = append(spec.Mounts, mount) - spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", s.host)) + spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", pathInContainer)) + return nil } -func (s *notifySocket) setupSocket() error { +func (s *notifySocket) bindSocket() error { addr := net.UnixAddr{ Name: s.socketPath, Net: "unixgram", @@ -71,46 +79,92 @@ func (s *notifySocket) setupSocket() error { return nil } -// pid1 must be set only with -d, as it is used to set the new process as the main process -// for the service in systemd -func (s *notifySocket) run(pid1 int) { - buf := make([]byte, 512) - notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"} +func (s *notifySocket) setupSocketDirectory() error { + return os.Mkdir(path.Dir(s.socketPath), 0755) +} + +func notifySocketStart(context *cli.Context, notifySocketHost, id string) (*notifySocket, error) { + notifySocket := newNotifySocket(context, notifySocketHost, id) + if notifySocket == nil { + return nil, nil + } + + if err := notifySocket.bindSocket(); err != nil { + return nil, err + } + return notifySocket, nil +} + +func (n *notifySocket) waitForContainer(container libcontainer.Container) error { + s, err := container.State() + if err != nil { + return err + } + return n.run(s.InitProcessPid) +} + +func (n *notifySocket) run(pid1 int) error { + if n.socket == nil { + return nil + } + notifySocketHostAddr := net.UnixAddr{Name: n.host, Net: "unixgram"} client, err := net.DialUnix("unixgram", nil, ¬ifySocketHostAddr) if err != nil { - logrus.Error(err) - return + return err } - for { - r, err := s.socket.Read(buf) - if err != nil { - break - } - var out bytes.Buffer - for _, line := range bytes.Split(buf[0:r], []byte{'\n'}) { - if bytes.HasPrefix(line, []byte("READY=")) { - _, err = out.Write(line) - if err != nil { - return - } - _, err = out.Write([]byte{'\n'}) - if err != nil { - return - } + ticker := time.NewTicker(time.Millisecond * 100) + defer ticker.Stop() - _, err = client.Write(out.Bytes()) - if err != nil { + fileChan := make(chan []byte) + go func() { + for { + buf := make([]byte, 4096) + r, err := n.socket.Read(buf) + if err != nil { + return + } + got := buf[0:r] + // systemd-ready sends a single datagram with the state string as payload, + // so we don't need to worry about partial messages. + for _, line := range bytes.Split(got, []byte{'\n'}) { + if bytes.HasPrefix(got, []byte("READY=")) { + fileChan <- line return } + } - // now we can inform systemd to use pid1 as the pid to monitor - if pid1 > 0 { - newPid := fmt.Sprintf("MAINPID=%d\n", pid1) - client.Write([]byte(newPid)) - } - return + } + }() + + for { + select { + case <-ticker.C: + _, err := os.Stat(filepath.Join("/proc", strconv.Itoa(pid1))) + if err != nil { + return nil } + case b := <-fileChan: + var out bytes.Buffer + _, err = out.Write(b) + if err != nil { + return err + } + + _, err = out.Write([]byte{'\n'}) + if err != nil { + return err + } + + _, err = client.Write(out.Bytes()) + if err != nil { + return err + } + + // now we can inform systemd to use pid1 as the pid to monitor + newPid := fmt.Sprintf("MAINPID=%d\n", pid1) + client.Write([]byte(newPid)) + return nil } } } diff --git a/signals.go b/signals.go index b67f65a0..dd25e094 100644 --- a/signals.go +++ b/signals.go @@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach h.notifySocket.run(pid1) return 0, nil } + h.notifySocket.run(os.Getpid()) go h.notifySocket.run(0) } @@ -97,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach // status because we must ensure that any of the go specific process // fun such as flushing pipes are complete before we return. process.Wait() - if h.notifySocket != nil { - h.notifySocket.Close() - } return e.status, nil } } diff --git a/start.go b/start.go index 2bb698b2..3a1769a4 100644 --- a/start.go +++ b/start.go @@ -3,6 +3,7 @@ package main import ( "errors" "fmt" + "os" "github.com/opencontainers/runc/libcontainer" "github.com/urfave/cli" @@ -31,7 +32,17 @@ your host.`, } switch status { case libcontainer.Created: - return container.Exec() + notifySocket, err := notifySocketStart(context, os.Getenv("NOTIFY_SOCKET"), container.ID()) + if err != nil { + return err + } + if err := container.Exec(); err != nil { + return err + } + if notifySocket != nil { + return notifySocket.waitForContainer(container) + } + return nil case libcontainer.Stopped: return errors.New("cannot start a container that has stopped") case libcontainer.Running: diff --git a/utils_linux.go b/utils_linux.go index 984e6b0f..46c26246 100644 --- a/utils_linux.go +++ b/utils_linux.go @@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id) if notifySocket != nil { - notifySocket.setupSpec(context, spec) + if err := notifySocket.setupSpec(context, spec); err != nil { + return -1, err + } } container, err := createContainer(context, id, spec) @@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp } if notifySocket != nil { - err := notifySocket.setupSocket() + err := notifySocket.setupSocketDirectory() if err != nil { return -1, err } + if action == CT_ACT_RUN { + err := notifySocket.bindSocket() + if err != nil { + return -1, err + } + } } // Support on-demand socket activation by passing file descriptors into the container init process. -- 2.25.1 ++++++ bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch ++++++ ++++ 824 lines (skipped) ++++ between /work/SRC/openSUSE:Leap:15.2/docker-runc/bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch ++++ and /work/SRC/openSUSE:Leap:15.2/.docker-runc.new.3606/bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch ++++++ docker-runc-git.3e425f80a8c9.tar.xz -> docker-runc-git.dc9208a3303f.tar.xz ++++++ ++++ 10803 lines of diff (skipped)
