diff --git a/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch b/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch new file mode 100644 index 0000000..fa3abb5 --- /dev/null +++ b/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch @@ -0,0 +1,123 @@ +From e54bd299f9e170fe35041c839ab90206f02e4df0 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 1 Jul 2021 12:55:08 +1000 +Subject: [PATCH] cgroupv2: ebpf: ignore inaccessible existing programs + +This is necessary in order for runc to be able to configure device +cgroups with --systemd-cgroup on distributions that have very strict +SELinux policies such as openSUSE MicroOS[1]. + +The core issue here is that systemd is adding its own BPF policy that +has an SELinux label such that runc cannot interact with it. In order to +work around this, we can just ignore the policy -- in theory this +behaviour is not correct but given that the most obvious case +(--systemd-cgroup) will still handle updates correctly, this logic is +reasonable. + +(This also contains a backport of [2].) + +[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428 +[2]: https://github.com/cilium/ebpf/pull/334 + +Fixes: d0f2c25f521e ("cgroup2: devices: replace all existing filters when attaching") +Signed-off-by: Aleksa Sarai +--- + go.mod | 2 ++ + go.sum | 4 ++++ + libcontainer/cgroups/ebpf/ebpf_linux.go | 19 ++++++++++++++++--- + vendor/github.com/cilium/ebpf/syscalls.go | 5 ++--- + vendor/modules.txt | 2 +- + 5 files changed, 25 insertions(+), 7 deletions(-) + +diff --git a/go.mod b/go.mod +index 6262a12198ca..95d14b12b36c 100644 +--- a/go.mod ++++ b/go.mod +@@ -26,3 +26,5 @@ require ( + golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 + google.golang.org/protobuf v1.26.0 + ) ++ ++replace github.com/cilium/ebpf => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f +diff --git a/go.sum b/go.sum +index 0bc7fd057207..00bb16d7ff6f 100644 +--- a/go.sum ++++ b/go.sum +@@ -11,6 +11,10 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA + github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= + github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY= + github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= ++github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1 h1:Y+9BQzEwXR1yEhvf843TRwrMgwH7ZbO3arwgZfXPhFU= ++github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= ++github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f h1:MqvjlbU/U6s12v7ru6MbLKIkLlzGMDiMKYi4yGHGz2Q= ++github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= + github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= + github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= + github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +diff --git a/libcontainer/cgroups/ebpf/ebpf_linux.go b/libcontainer/cgroups/ebpf/ebpf_linux.go +index fccf3931d6ee..dd119ad4f7a5 100644 +--- a/libcontainer/cgroups/ebpf/ebpf_linux.go ++++ b/libcontainer/cgroups/ebpf/ebpf_linux.go +@@ -59,13 +59,26 @@ func findAttachedCgroupDeviceFilters(dirFd int) ([]*ebpf.Program, error) { + + // Convert the ids to program handles. + progIds = progIds[:size] +- programs := make([]*ebpf.Program, len(progIds)) +- for idx, progId := range progIds { ++ programs := make([]*ebpf.Program, 0, len(progIds)) ++ for _, progId := range progIds { + program, err := ebpf.NewProgramFromID(ebpf.ProgramID(progId)) + if err != nil { ++ // We skip over programs that give us -EACCES. This is ++ // necessary because there may be BPF programs that have been ++ // attached (such as with --systemd-cgroup) which have an LSM ++ // label that blocks us from interacting with the program. ++ // ++ // Because additional BPF_CGROUP_DEVICE programs only can add ++ // restrictions, there's no real issue with just ignoring these ++ // programs (and stops runc from breaking on distributions with ++ // very strict SELinux policies). ++ if errors.Is(err, unix.EACCES) { ++ logrus.Debugf("ignoring existing CGROUP_DEVICE program (prog_id=%v) which cannot be accessed by runc -- likely due to LSM policy", progId) ++ continue ++ } + return nil, fmt.Errorf("cannot fetch program from id: %w", err) + } +- programs[idx] = program ++ programs = append(programs, program) + } + runtime.KeepAlive(progIds) + return programs, nil +diff --git a/vendor/github.com/cilium/ebpf/syscalls.go b/vendor/github.com/cilium/ebpf/syscalls.go +index c530aadd9a5b..82678eb4043d 100644 +--- a/vendor/github.com/cilium/ebpf/syscalls.go ++++ b/vendor/github.com/cilium/ebpf/syscalls.go +@@ -360,10 +360,9 @@ func wrapObjError(err error) error { + return nil + } + if errors.Is(err, unix.ENOENT) { +- return fmt.Errorf("%w", ErrNotExist) ++ return ErrNotExist + } +- +- return errors.New(err.Error()) ++ return err + } + + func wrapMapError(err error) error { +diff --git a/vendor/modules.txt b/vendor/modules.txt +index 6878ffcfb192..2da80d8ee4f6 100644 +--- a/vendor/modules.txt ++++ b/vendor/modules.txt +@@ -3,7 +3,7 @@ github.com/bits-and-blooms/bitset + # github.com/checkpoint-restore/go-criu/v5 v5.0.0 + github.com/checkpoint-restore/go-criu/v5 + github.com/checkpoint-restore/go-criu/v5/rpc +-# github.com/cilium/ebpf v0.6.1 ++# github.com/cilium/ebpf v0.6.1 => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f + github.com/cilium/ebpf + github.com/cilium/ebpf/asm + github.com/cilium/ebpf/internal +-- +2.32.0 + diff --git a/runc-1.0.0-rc95.tar.xz b/runc-1.0.0-rc95.tar.xz deleted file mode 100644 index fe61511..0000000 --- a/runc-1.0.0-rc95.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8304b161e1c0ec2cee969b25671a147cd56cb99e6aa534371b2cfb3ec13db2c4 -size 1365712 diff --git a/runc-1.0.0-rc95.tar.xz.asc b/runc-1.0.0-rc95.tar.xz.asc deleted file mode 100644 index 25089a9..0000000 --- a/runc-1.0.0-rc95.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmCkvH0PHGFzYXJhaUBz -dXNlLmRlAAoJEJ4YqiZ92420w9UP/juW0QqFulvkXlEbxU/QR1GYdda4Gcv1oThr -AtxrHnD8QnFkO3f9Dr4lwUs+jfUYu5wLmzFcqAD3EiuGqZmVjLG6uTBv0Bpq5juD -0celQJ5QoJZ+pFieMcc3DQzDDG/qEGrqaZEuErOYv4QiBLyrUsy1iK4x/Hc+gMHw -iegcKHbWZOVbENQKhiR5G8baMskoCcE1kxDQzHNNRfR9RkjQ3S8UH2bf5FyFQ7RL -e93qlx1h3uWPP8gPT3f1ca7ldEeGd9C/ccWAnp5SHVhXClz72hJsvUKUPzoeKQn0 -JtA4W48vzqjjYkHTuHYAem+m3C5QuaFm2TU41vaxnEcIZTKvHcqjfxGAkleeVDEx -zZ4TWlVf67oAkh1QVeSryHDV6f+3RuVJ3ErFzVoUA50LDXGa3FdX1Ls9oBVUNfY6 -mbQwJ6VRri+9mcRVcVvW95+e59RqFlSQorsUvxQkUZDvd1JMPi5azppdCCuZDAzq -JBPolnxFd4Z8SOuWtdr/+R5Wp69Zvh9JwqEwLtV+sCJsZTSOZRhk6WnkDHaiUHoW -NdGI+jCYCmpHj07tyUJg/Lx99a/NI4EwF3iBMYDpo0AhhTsbWUly+1RyLajiYR0Z -Po4KLn3JUcuDfDwoId1Sgu4ATzIbmfSa5GHdKT3CVdlVcqJJ/2EXSLx0Ku5sjNFS -2yaNgwwT -=UrB6 ------END PGP SIGNATURE----- diff --git a/runc-1.0.0.tar.xz b/runc-1.0.0.tar.xz new file mode 100644 index 0000000..b831932 --- /dev/null +++ b/runc-1.0.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ccdf1ac45cb1bb36eb1810457c6b1a513666958d83a96e01fff6085ba179c9f1 +size 1408812 diff --git a/runc-1.0.0.tar.xz.asc b/runc-1.0.0.tar.xz.asc new file mode 100644 index 0000000..08442bb --- /dev/null +++ b/runc-1.0.0.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDRfmEQHGFzYXJhaUBz +dXNlLmNvbQAKCRCeGKomfduNtBtED/4hkJWG3Weah68Nkudvno1EOhEAqJsl0grl +WL3kafqMi9S2Qg2y3qKV1Tl+KmNsLdN0jnAUN6q1hBEscott9dPGFEdfcHN/G/UW +kG8WyIhiIQ83zB1cq5SzcBmrehl++dI6hYUPXQt6S4KKUJGh5sAwpQZxRekm5k2G +CY+aTRksY+ZfInb988tfShuT1KycyeyqoAcIkxTkoUvR9kmONVmYovLMcah+03Wj ++gGe+xq18plkBA+mvCFXqDhH6SFTYNZ26wwOvxCRJBCtnfYAOzwHd34kmK8cOyNo +wA/+DECOLdw7y81PRKfdmtGLWGfJfX5Z87uevM80+bwgV8Ciq+u2AQHULUV1Z0N+ +jr3cxLTEilFskwO+KHxtajA8VPFkLyMkhQdfRubE6y93Kl7lKbB3OtnfcKw76gVL +glAFkZ1sC3XktlvBVE0QlIA34FvZusDbjQinzBFAbEH1BegLTiHL4iLs+RBr2x3l +LDp1HZl1l+7Bf5tEH8A66dJ1IXZ50M8OdWl/6zWxJaIhSNEyBLupwLZXZx1UfcPh +BnylxIiLZuPwlWg7SzgKrMPXkyG2r9ZzNr/7fUznq7JobbYrbzopH9BjjNSJ+BsQ +z+Lf/UaTYRVEFQAxtdqT9PBoctf0/Nlv8dvKYB+4oxGB1J6JlYJhe8zFkSlOr/Wa ++cOCQD3T8w== +=bgwH +-----END PGP SIGNATURE----- diff --git a/runc.changes b/runc.changes index 74d9d19..7eb2b8a 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Thu Jul 1 03:39:56 UTC 2021 - Aleksa Sarai + +- Backport to fix issues + with runc under openSUSE MicroOS's SELinux policy. boo#1187704 + + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch + +------------------------------------------------------------------- +Tue Jun 1 11:00:30 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.0. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0 + + ! The usage of relative paths for mountpoints will now produce a warning + (such configurations are outside of the spec, and in future runc will + produce an error when given such configurations). + + * cgroupv2: devices: rework the filter generation to produce consistent + results with cgroupv1, and always clobber any existing eBPF + program(s) to fix runc update and avoid leaking eBPF programs + (resulting in errors when managing containers). + * cgroupv2: correctly convert "number of IOs" statistics in a + cgroupv1-compatible way. + * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. + * cgroupv2: wait for freeze to finish before returning from the freezing + code, optimize the method for checking whether a cgroup is frozen. + * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 + * cgroups/systemd: fixed returning "unit already exists" error from a systemd + cgroup manager (regression in rc94) + + + cgroupv2: support SkipDevices with systemd driver + + cgroup/systemd: return, not ignore, stop unit error from Destroy + + Make "runc --version" output sane even when built with go get or + otherwise outside of our build scripts. + + cgroups: set SkipDevices during runc update (so we don't modify + cgroups at all during runc update). + + cgroup1: blkio: support BFQ weights. + + cgroupv2: set per-device io weights if BFQ IO scheduler is available. + ------------------------------------------------------------------- Wed May 19 10:00:00 UTC 2021 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index 57d31a4..fc9569d 100644 --- a/runc.spec +++ b/runc.spec @@ -25,8 +25,8 @@ %define project github.com/opencontainers/runc Name: runc -Version: 1.0.0~rc95 -%define _version 1.0.0-rc95 +Version: 1.0.0 +%define _version 1.0.0 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -36,6 +36,8 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{_ver Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring Source3: runc-rpmlintrc +# FIX-UPSTREAM: Backport of . boo#1187704 +Patch1: boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch BuildRequires: fdupes BuildRequires: go-go-md2man # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires @@ -69,6 +71,8 @@ and has grown to become a separate project entirely. %prep %setup -q -n %{name}-%{_version} +# boo#1187704 +%patch1 -p1 %build # build runc