Accepting request 907286 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/907286
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/runc?expand=0&rev=40

boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch

@@ -1,123 +0,0 @@
-From e54bd299f9e170fe35041c839ab90206f02e4df0 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <cyphar@cyphar.com>
-Date: Thu, 1 Jul 2021 12:55:08 +1000
-Subject: [PATCH] cgroupv2: ebpf: ignore inaccessible existing programs
-
-This is necessary in order for runc to be able to configure device
-cgroups with --systemd-cgroup on distributions that have very strict
-SELinux policies such as openSUSE MicroOS[1].
-
-The core issue here is that systemd is adding its own BPF policy that
-has an SELinux label such that runc cannot interact with it. In order to
-work around this, we can just ignore the policy -- in theory this
-behaviour is not correct but given that the most obvious case
-(--systemd-cgroup) will still handle updates correctly, this logic is
-reasonable.
-
-(This also contains a backport of [2].)
-
-[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428
-[2]: https://github.com/cilium/ebpf/pull/334
-
-Fixes: d0f2c25f521e ("cgroup2: devices: replace all existing filters when attaching")
-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
----
- go.mod                                    |  2 ++
- go.sum                                    |  4 ++++
- libcontainer/cgroups/ebpf/ebpf_linux.go   | 19 ++++++++++++++++---
- vendor/github.com/cilium/ebpf/syscalls.go |  5 ++---
- vendor/modules.txt                        |  2 +-
- 5 files changed, 25 insertions(+), 7 deletions(-)
-
-diff --git a/go.mod b/go.mod
-index 6262a12198ca..95d14b12b36c 100644
---- a/go.mod
-+++ b/go.mod
-@@ -26,3 +26,5 @@ require (
- 	golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
- 	google.golang.org/protobuf v1.26.0
- )
-+
-+replace github.com/cilium/ebpf => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f
-diff --git a/go.sum b/go.sum
-index 0bc7fd057207..00bb16d7ff6f 100644
---- a/go.sum
-+++ b/go.sum
-@@ -11,6 +11,10 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA
- github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
- github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
- github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-+github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1 h1:Y+9BQzEwXR1yEhvf843TRwrMgwH7ZbO3arwgZfXPhFU=
-+github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
-+github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f h1:MqvjlbU/U6s12v7ru6MbLKIkLlzGMDiMKYi4yGHGz2Q=
-+github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
- github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
- github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
- github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-diff --git a/libcontainer/cgroups/ebpf/ebpf_linux.go b/libcontainer/cgroups/ebpf/ebpf_linux.go
-index fccf3931d6ee..dd119ad4f7a5 100644
---- a/libcontainer/cgroups/ebpf/ebpf_linux.go
-+++ b/libcontainer/cgroups/ebpf/ebpf_linux.go
-@@ -59,13 +59,26 @@ func findAttachedCgroupDeviceFilters(dirFd int) ([]*ebpf.Program, error) {
- 
- 		// Convert the ids to program handles.
- 		progIds = progIds[:size]
--		programs := make([]*ebpf.Program, len(progIds))
--		for idx, progId := range progIds {
-+		programs := make([]*ebpf.Program, 0, len(progIds))
-+		for _, progId := range progIds {
- 			program, err := ebpf.NewProgramFromID(ebpf.ProgramID(progId))
- 			if err != nil {
-+				// We skip over programs that give us -EACCES. This is
-+				// necessary because there may be BPF programs that have been
-+				// attached (such as with --systemd-cgroup) which have an LSM
-+				// label that blocks us from interacting with the program.
-+				//
-+				// Because additional BPF_CGROUP_DEVICE programs only can add
-+				// restrictions, there's no real issue with just ignoring these
-+				// programs (and stops runc from breaking on distributions with
-+				// very strict SELinux policies).
-+				if errors.Is(err, unix.EACCES) {
-+					logrus.Debugf("ignoring existing CGROUP_DEVICE program (prog_id=%v) which cannot be accessed by runc -- likely due to LSM policy", progId)
-+					continue
-+				}
- 				return nil, fmt.Errorf("cannot fetch program from id: %w", err)
- 			}
--			programs[idx] = program
-+			programs = append(programs, program)
- 		}
- 		runtime.KeepAlive(progIds)
- 		return programs, nil
-diff --git a/vendor/github.com/cilium/ebpf/syscalls.go b/vendor/github.com/cilium/ebpf/syscalls.go
-index c530aadd9a5b..82678eb4043d 100644
---- a/vendor/github.com/cilium/ebpf/syscalls.go
-+++ b/vendor/github.com/cilium/ebpf/syscalls.go
-@@ -360,10 +360,9 @@ func wrapObjError(err error) error {
- 		return nil
- 	}
- 	if errors.Is(err, unix.ENOENT) {
--		return fmt.Errorf("%w", ErrNotExist)
-+		return ErrNotExist
- 	}
--
--	return errors.New(err.Error())
-+	return err
- }
- 
- func wrapMapError(err error) error {
-diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 6878ffcfb192..2da80d8ee4f6 100644
---- a/vendor/modules.txt
-+++ b/vendor/modules.txt
-@@ -3,7 +3,7 @@ github.com/bits-and-blooms/bitset
- # github.com/checkpoint-restore/go-criu/v5 v5.0.0
- github.com/checkpoint-restore/go-criu/v5
- github.com/checkpoint-restore/go-criu/v5/rpc
--# github.com/cilium/ebpf v0.6.1
-+# github.com/cilium/ebpf v0.6.1 => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f
- github.com/cilium/ebpf
- github.com/cilium/ebpf/asm
- github.com/cilium/ebpf/internal
--- 
-2.32.0
-

runc-1.0.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ccdf1ac45cb1bb36eb1810457c6b1a513666958d83a96e01fff6085ba179c9f1
-size 1408812

runc-1.0.0.tar.xz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDRfmEQHGFzYXJhaUBz
-dXNlLmNvbQAKCRCeGKomfduNtBtED/4hkJWG3Weah68Nkudvno1EOhEAqJsl0grl
-WL3kafqMi9S2Qg2y3qKV1Tl+KmNsLdN0jnAUN6q1hBEscott9dPGFEdfcHN/G/UW
-kG8WyIhiIQ83zB1cq5SzcBmrehl++dI6hYUPXQt6S4KKUJGh5sAwpQZxRekm5k2G
-CY+aTRksY+ZfInb988tfShuT1KycyeyqoAcIkxTkoUvR9kmONVmYovLMcah+03Wj
-+gGe+xq18plkBA+mvCFXqDhH6SFTYNZ26wwOvxCRJBCtnfYAOzwHd34kmK8cOyNo
-wA/+DECOLdw7y81PRKfdmtGLWGfJfX5Z87uevM80+bwgV8Ciq+u2AQHULUV1Z0N+
-jr3cxLTEilFskwO+KHxtajA8VPFkLyMkhQdfRubE6y93Kl7lKbB3OtnfcKw76gVL
-glAFkZ1sC3XktlvBVE0QlIA34FvZusDbjQinzBFAbEH1BegLTiHL4iLs+RBr2x3l
-LDp1HZl1l+7Bf5tEH8A66dJ1IXZ50M8OdWl/6zWxJaIhSNEyBLupwLZXZx1UfcPh
-BnylxIiLZuPwlWg7SzgKrMPXkyG2r9ZzNr/7fUznq7JobbYrbzopH9BjjNSJ+BsQ
-z+Lf/UaTYRVEFQAxtdqT9PBoctf0/Nlv8dvKYB+4oxGB1J6JlYJhe8zFkSlOr/Wa
-+cOCQD3T8w==
-=bgwH
------END PGP SIGNATURE-----

runc-1.0.1.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7401a8be2556490074418c4b04c6e0584854ff15e899da9ebeb6d22abd877323
+size 1413044

runc-1.0.1.tar.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDxG6kPHGFzYXJhaUBz
+dXNlLmRlAAoJEJ4YqiZ92420yKAQAKZV7fEQI2w7G0e+YCXD8dT6jmKxT5Fo18qK
+Pujzt/bpYmj8EthYM2wUYzfT7UBpxs5PoeREiC+hVMaMog1jPbRj9D03MGGOQxaK
+vLU6jNZWVAjXo0nVVjOY87u4sX5w9+ctWDFKcXSCDcyhCsSDlutXMtTIuU2KDbr5
+NkQWhmnWpZjtHeWT9ueeKEmJ6dO0X+uP03W7cLzcunqkSxhrQEEWQsKSJlwPiVL1
+E8BfMqovKNMnOAluydQZNtPFvBHqDjWiYJhZ88c52k/WW+whDsDYikID451nwAY9
+vZnsCowu5Wv6aASTRr11cTVEo6lH429rkoKcnZlE+K7nd10rge9uiDIQimW1Bp7l
+Z4b1xYjY3QYf4f0zO2XMA0dr0pZLBhf8vnoqjtG4Xzg9ghjQaloY5lvsSYlmFU5L
+8nESnK5FwHnSSOi30bZBfEvCAM6HLa1NGSzKDmMuNFeXZPzCKOivp4uLtC880ePi
+DiiMhGiupqucdee07xxcVfRc1BF72CNUDrl7r1hnsbzg7NueVSCldON4EmkzUhcc
+r5Q9goUPThBc7yndQWztAKygGqVikfoeqWczzW/C1129mimlMRM8rPZMs2ewNBg8
+uPdh8uDCBP1RekQpleYZE+ipchFxd51dpYg6m7qmdlleq5DLwqn6AuM85FO6hCeV
+zMqCcAz9
+=23qD
+-----END PGP SIGNATURE-----

runc.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Sun Jul 18 02:40:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.1. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.1
+
+  * Fixed occasional runc exec/run failure ("interrupted system call") on an
+    Azure volume.
+  * Fixed "unable to find groups ... token too long" error with /etc/group
+    containing lines longer than 64K characters.
+  * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
+    frozen. This is a regression in 1.0.0, not affecting runc itself but some
+    of libcontainer users (e.g Kubernetes).
+  * cgroupv2: bpf: Ignore inaccessible existing programs in case of
+    permission error when handling replacement of existing bpf cgroup
+    programs. This fixes a regression in 1.0.0, where some SELinux
+    policies would block runc from being able to run entirely.
+  * cgroup/systemd/v2: don't freeze cgroup on Set.
+  * cgroup/systemd/v1: avoid unnecessary freeze on Set.
+
+- Remove upstreamed patches:
+  + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
+
 -------------------------------------------------------------------
 Thu Jul  1 03:39:56 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 

runc.spec

@@ -18,15 +18,15 @@
 
 
 # MANUAL: Make sure you update this each time you update runc.
-%define git_version 12644e614e25b05da6fd08a38ffa0cfe1903fdec
+%define git_version 4144b63817ebcc5b358fc2c8ef95f7cddd709aa7
 
 # Package-wide golang version
 %define go_version 1.13
 %define project github.com/opencontainers/runc
 
 Name:           runc
-Version:        1.0.0
-%define _version 1.0.0
+Version:        1.0.1
+%define _version 1.0.1
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
@@ -36,8 +36,6 @@ Source0:        https://github.com/opencontainers/runc/releases/download/v%{_ver
 Source1:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
 Source2:        runc.keyring
 Source3:        runc-rpmlintrc
-# FIX-UPSTREAM: Backport of <https://github.com/opencontainers/runc/pull/3055>. boo#1187704
-Patch1:         boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
 BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
 # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
@@ -49,17 +47,12 @@ Recommends:     criu
 # There used to be a docker-runc package which was specifically for Docker.
 # Since Docker now tracks upstream more consistently, we use the same package
 # but we need to obsolete the old one. bsc#1181677
-# NOTE: We can't use the package version here because docker-runc used a
-#       different versioning scheme by accident (1.0.0rc92 vs 1.0.0~rc92 -- and
-#       GNU sort considers the former to be newer than the latter, in fact
-#       1.0.0rc92 is newer than 1.0.0 according to GNU sort). So we invent a
-#       fake 1.0.0.1 version.
-Obsoletes:      docker-runc < 1.0.0.1
-Provides:       docker-runc = 1.0.0.1.%{version}
+Obsoletes:      docker-runc < %{version}
+Provides:       docker-runc = %{version}
 # KUBIC-SPECIFIC: There used to be a kubic-specific docker-runc package, but
 #                 now it's been merged into the one package. bsc#1181677
-Obsoletes:      docker-runc-kubic < 1.0.0.1
-Provides:       docker-runc-kubic = 1.0.0.1.%{version}
+Obsoletes:      docker-runc-kubic < %{version}
+Provides:       docker-runc-kubic = %{version}
 Obsoletes:      docker-runc = 0.1.1+gitr2819_50a19c6
 Obsoletes:      docker-runc_50a19c6
 
@@ -71,8 +64,6 @@ and has grown to become a separate project entirely.
 
 %prep
 %setup -q -n %{name}-%{_version}
-# boo#1187704
-%patch1 -p1
 
 %build
 # build runc