From 0d8a6b3c6e1dc0a89de272d7e9c8cd6290fcacb508e474219b5ca0168d0d9bda Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 20 Jul 2021 09:40:45 +0000 Subject: [PATCH] Accepting request 907285 from home:cyphar:docker - Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume. * Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - Remove upstreamed patches: + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch OBS-URL: https://build.opensuse.org/request/show/907285 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=116 --- ...gnore-inaccessible-existing-programs.patch | 123 ------------------ runc-1.0.0.tar.xz | 3 - runc-1.0.0.tar.xz.asc | 17 --- runc-1.0.1.tar.xz | 3 + runc-1.0.1.tar.xz.asc | 17 +++ runc.changes | 23 ++++ runc.spec | 23 +--- 7 files changed, 50 insertions(+), 159 deletions(-) delete mode 100644 boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch delete mode 100644 runc-1.0.0.tar.xz delete mode 100644 runc-1.0.0.tar.xz.asc create mode 100644 runc-1.0.1.tar.xz create mode 100644 runc-1.0.1.tar.xz.asc diff --git a/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch b/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch deleted file mode 100644 index fa3abb5..0000000 --- a/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch +++ /dev/null @@ -1,123 +0,0 @@ -From e54bd299f9e170fe35041c839ab90206f02e4df0 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Thu, 1 Jul 2021 12:55:08 +1000 -Subject: [PATCH] cgroupv2: ebpf: ignore inaccessible existing programs - -This is necessary in order for runc to be able to configure device -cgroups with --systemd-cgroup on distributions that have very strict -SELinux policies such as openSUSE MicroOS[1]. - -The core issue here is that systemd is adding its own BPF policy that -has an SELinux label such that runc cannot interact with it. In order to -work around this, we can just ignore the policy -- in theory this -behaviour is not correct but given that the most obvious case -(--systemd-cgroup) will still handle updates correctly, this logic is -reasonable. - -(This also contains a backport of [2].) - -[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428 -[2]: https://github.com/cilium/ebpf/pull/334 - -Fixes: d0f2c25f521e ("cgroup2: devices: replace all existing filters when attaching") -Signed-off-by: Aleksa Sarai ---- - go.mod | 2 ++ - go.sum | 4 ++++ - libcontainer/cgroups/ebpf/ebpf_linux.go | 19 ++++++++++++++++--- - vendor/github.com/cilium/ebpf/syscalls.go | 5 ++--- - vendor/modules.txt | 2 +- - 5 files changed, 25 insertions(+), 7 deletions(-) - -diff --git a/go.mod b/go.mod -index 6262a12198ca..95d14b12b36c 100644 ---- a/go.mod -+++ b/go.mod -@@ -26,3 +26,5 @@ require ( - golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 - google.golang.org/protobuf v1.26.0 - ) -+ -+replace github.com/cilium/ebpf => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f -diff --git a/go.sum b/go.sum -index 0bc7fd057207..00bb16d7ff6f 100644 ---- a/go.sum -+++ b/go.sum -@@ -11,6 +11,10 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA - github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= - github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY= - github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -+github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1 h1:Y+9BQzEwXR1yEhvf843TRwrMgwH7ZbO3arwgZfXPhFU= -+github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= -+github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f h1:MqvjlbU/U6s12v7ru6MbLKIkLlzGMDiMKYi4yGHGz2Q= -+github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= - github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= - github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= - github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -diff --git a/libcontainer/cgroups/ebpf/ebpf_linux.go b/libcontainer/cgroups/ebpf/ebpf_linux.go -index fccf3931d6ee..dd119ad4f7a5 100644 ---- a/libcontainer/cgroups/ebpf/ebpf_linux.go -+++ b/libcontainer/cgroups/ebpf/ebpf_linux.go -@@ -59,13 +59,26 @@ func findAttachedCgroupDeviceFilters(dirFd int) ([]*ebpf.Program, error) { - - // Convert the ids to program handles. - progIds = progIds[:size] -- programs := make([]*ebpf.Program, len(progIds)) -- for idx, progId := range progIds { -+ programs := make([]*ebpf.Program, 0, len(progIds)) -+ for _, progId := range progIds { - program, err := ebpf.NewProgramFromID(ebpf.ProgramID(progId)) - if err != nil { -+ // We skip over programs that give us -EACCES. This is -+ // necessary because there may be BPF programs that have been -+ // attached (such as with --systemd-cgroup) which have an LSM -+ // label that blocks us from interacting with the program. -+ // -+ // Because additional BPF_CGROUP_DEVICE programs only can add -+ // restrictions, there's no real issue with just ignoring these -+ // programs (and stops runc from breaking on distributions with -+ // very strict SELinux policies). -+ if errors.Is(err, unix.EACCES) { -+ logrus.Debugf("ignoring existing CGROUP_DEVICE program (prog_id=%v) which cannot be accessed by runc -- likely due to LSM policy", progId) -+ continue -+ } - return nil, fmt.Errorf("cannot fetch program from id: %w", err) - } -- programs[idx] = program -+ programs = append(programs, program) - } - runtime.KeepAlive(progIds) - return programs, nil -diff --git a/vendor/github.com/cilium/ebpf/syscalls.go b/vendor/github.com/cilium/ebpf/syscalls.go -index c530aadd9a5b..82678eb4043d 100644 ---- a/vendor/github.com/cilium/ebpf/syscalls.go -+++ b/vendor/github.com/cilium/ebpf/syscalls.go -@@ -360,10 +360,9 @@ func wrapObjError(err error) error { - return nil - } - if errors.Is(err, unix.ENOENT) { -- return fmt.Errorf("%w", ErrNotExist) -+ return ErrNotExist - } -- -- return errors.New(err.Error()) -+ return err - } - - func wrapMapError(err error) error { -diff --git a/vendor/modules.txt b/vendor/modules.txt -index 6878ffcfb192..2da80d8ee4f6 100644 ---- a/vendor/modules.txt -+++ b/vendor/modules.txt -@@ -3,7 +3,7 @@ github.com/bits-and-blooms/bitset - # github.com/checkpoint-restore/go-criu/v5 v5.0.0 - github.com/checkpoint-restore/go-criu/v5 - github.com/checkpoint-restore/go-criu/v5/rpc --# github.com/cilium/ebpf v0.6.1 -+# github.com/cilium/ebpf v0.6.1 => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f - github.com/cilium/ebpf - github.com/cilium/ebpf/asm - github.com/cilium/ebpf/internal --- -2.32.0 - diff --git a/runc-1.0.0.tar.xz b/runc-1.0.0.tar.xz deleted file mode 100644 index b831932..0000000 --- a/runc-1.0.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ccdf1ac45cb1bb36eb1810457c6b1a513666958d83a96e01fff6085ba179c9f1 -size 1408812 diff --git a/runc-1.0.0.tar.xz.asc b/runc-1.0.0.tar.xz.asc deleted file mode 100644 index 08442bb..0000000 --- a/runc-1.0.0.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDRfmEQHGFzYXJhaUBz -dXNlLmNvbQAKCRCeGKomfduNtBtED/4hkJWG3Weah68Nkudvno1EOhEAqJsl0grl -WL3kafqMi9S2Qg2y3qKV1Tl+KmNsLdN0jnAUN6q1hBEscott9dPGFEdfcHN/G/UW -kG8WyIhiIQ83zB1cq5SzcBmrehl++dI6hYUPXQt6S4KKUJGh5sAwpQZxRekm5k2G -CY+aTRksY+ZfInb988tfShuT1KycyeyqoAcIkxTkoUvR9kmONVmYovLMcah+03Wj -+gGe+xq18plkBA+mvCFXqDhH6SFTYNZ26wwOvxCRJBCtnfYAOzwHd34kmK8cOyNo -wA/+DECOLdw7y81PRKfdmtGLWGfJfX5Z87uevM80+bwgV8Ciq+u2AQHULUV1Z0N+ -jr3cxLTEilFskwO+KHxtajA8VPFkLyMkhQdfRubE6y93Kl7lKbB3OtnfcKw76gVL -glAFkZ1sC3XktlvBVE0QlIA34FvZusDbjQinzBFAbEH1BegLTiHL4iLs+RBr2x3l -LDp1HZl1l+7Bf5tEH8A66dJ1IXZ50M8OdWl/6zWxJaIhSNEyBLupwLZXZx1UfcPh -BnylxIiLZuPwlWg7SzgKrMPXkyG2r9ZzNr/7fUznq7JobbYrbzopH9BjjNSJ+BsQ -z+Lf/UaTYRVEFQAxtdqT9PBoctf0/Nlv8dvKYB+4oxGB1J6JlYJhe8zFkSlOr/Wa -+cOCQD3T8w== -=bgwH ------END PGP SIGNATURE----- diff --git a/runc-1.0.1.tar.xz b/runc-1.0.1.tar.xz new file mode 100644 index 0000000..9b4c5b3 --- /dev/null +++ b/runc-1.0.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7401a8be2556490074418c4b04c6e0584854ff15e899da9ebeb6d22abd877323 +size 1413044 diff --git a/runc-1.0.1.tar.xz.asc b/runc-1.0.1.tar.xz.asc new file mode 100644 index 0000000..a063b1d --- /dev/null +++ b/runc-1.0.1.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDxG6kPHGFzYXJhaUBz +dXNlLmRlAAoJEJ4YqiZ92420yKAQAKZV7fEQI2w7G0e+YCXD8dT6jmKxT5Fo18qK +Pujzt/bpYmj8EthYM2wUYzfT7UBpxs5PoeREiC+hVMaMog1jPbRj9D03MGGOQxaK +vLU6jNZWVAjXo0nVVjOY87u4sX5w9+ctWDFKcXSCDcyhCsSDlutXMtTIuU2KDbr5 +NkQWhmnWpZjtHeWT9ueeKEmJ6dO0X+uP03W7cLzcunqkSxhrQEEWQsKSJlwPiVL1 +E8BfMqovKNMnOAluydQZNtPFvBHqDjWiYJhZ88c52k/WW+whDsDYikID451nwAY9 +vZnsCowu5Wv6aASTRr11cTVEo6lH429rkoKcnZlE+K7nd10rge9uiDIQimW1Bp7l +Z4b1xYjY3QYf4f0zO2XMA0dr0pZLBhf8vnoqjtG4Xzg9ghjQaloY5lvsSYlmFU5L +8nESnK5FwHnSSOi30bZBfEvCAM6HLa1NGSzKDmMuNFeXZPzCKOivp4uLtC880ePi +DiiMhGiupqucdee07xxcVfRc1BF72CNUDrl7r1hnsbzg7NueVSCldON4EmkzUhcc +r5Q9goUPThBc7yndQWztAKygGqVikfoeqWczzW/C1129mimlMRM8rPZMs2ewNBg8 +uPdh8uDCBP1RekQpleYZE+ipchFxd51dpYg6m7qmdlleq5DLwqn6AuM85FO6hCeV +zMqCcAz9 +=23qD +-----END PGP SIGNATURE----- diff --git a/runc.changes b/runc.changes index 7eb2b8a..41e2a63 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Sun Jul 18 02:40:16 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.1. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.1 + + * Fixed occasional runc exec/run failure ("interrupted system call") on an + Azure volume. + * Fixed "unable to find groups ... token too long" error with /etc/group + containing lines longer than 64K characters. + * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is + frozen. This is a regression in 1.0.0, not affecting runc itself but some + of libcontainer users (e.g Kubernetes). + * cgroupv2: bpf: Ignore inaccessible existing programs in case of + permission error when handling replacement of existing bpf cgroup + programs. This fixes a regression in 1.0.0, where some SELinux + policies would block runc from being able to run entirely. + * cgroup/systemd/v2: don't freeze cgroup on Set. + * cgroup/systemd/v1: avoid unnecessary freeze on Set. + +- Remove upstreamed patches: + + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch + ------------------------------------------------------------------- Thu Jul 1 03:39:56 UTC 2021 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index fc9569d..6f5972c 100644 --- a/runc.spec +++ b/runc.spec @@ -18,15 +18,15 @@ # MANUAL: Make sure you update this each time you update runc. -%define git_version 12644e614e25b05da6fd08a38ffa0cfe1903fdec +%define git_version 4144b63817ebcc5b358fc2c8ef95f7cddd709aa7 # Package-wide golang version %define go_version 1.13 %define project github.com/opencontainers/runc Name: runc -Version: 1.0.0 -%define _version 1.0.0 +Version: 1.0.1 +%define _version 1.0.1 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -36,8 +36,6 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{_ver Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring Source3: runc-rpmlintrc -# FIX-UPSTREAM: Backport of . boo#1187704 -Patch1: boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch BuildRequires: fdupes BuildRequires: go-go-md2man # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires @@ -49,17 +47,12 @@ Recommends: criu # There used to be a docker-runc package which was specifically for Docker. # Since Docker now tracks upstream more consistently, we use the same package # but we need to obsolete the old one. bsc#1181677 -# NOTE: We can't use the package version here because docker-runc used a -# different versioning scheme by accident (1.0.0rc92 vs 1.0.0~rc92 -- and -# GNU sort considers the former to be newer than the latter, in fact -# 1.0.0rc92 is newer than 1.0.0 according to GNU sort). So we invent a -# fake 1.0.0.1 version. -Obsoletes: docker-runc < 1.0.0.1 -Provides: docker-runc = 1.0.0.1.%{version} +Obsoletes: docker-runc < %{version} +Provides: docker-runc = %{version} # KUBIC-SPECIFIC: There used to be a kubic-specific docker-runc package, but # now it's been merged into the one package. bsc#1181677 -Obsoletes: docker-runc-kubic < 1.0.0.1 -Provides: docker-runc-kubic = 1.0.0.1.%{version} +Obsoletes: docker-runc-kubic < %{version} +Provides: docker-runc-kubic = %{version} Obsoletes: docker-runc = 0.1.1+gitr2819_50a19c6 Obsoletes: docker-runc_50a19c6 @@ -71,8 +64,6 @@ and has grown to become a separate project entirely. %prep %setup -q -n %{name}-%{_version} -# boo#1187704 -%patch1 -p1 %build # build runc