Accepting request 903381 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/903381 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/runc?expand=0&rev=39
2021-07-02 11:26:39 +00:00 · 2021-07-02 11:26:39 +00:00 · f48613b441
commit f48613b441
parent 527af93c54 6a4e9d3d6c
7 changed files with 188 additions and 22 deletions
--- a/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
+++ b/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
@ -0,0 +1,123 @@
+From e54bd299f9e170fe35041c839ab90206f02e4df0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 1 Jul 2021 12:55:08 +1000
+Subject: [PATCH] cgroupv2: ebpf: ignore inaccessible existing programs
+
+This is necessary in order for runc to be able to configure device
+cgroups with --systemd-cgroup on distributions that have very strict
+SELinux policies such as openSUSE MicroOS[1].
+
+The core issue here is that systemd is adding its own BPF policy that
+has an SELinux label such that runc cannot interact with it. In order to
+work around this, we can just ignore the policy -- in theory this
+behaviour is not correct but given that the most obvious case
+(--systemd-cgroup) will still handle updates correctly, this logic is
+reasonable.
+
+(This also contains a backport of [2].)
+
+[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428
+[2]: https://github.com/cilium/ebpf/pull/334
+
+Fixes: d0f2c25f521e ("cgroup2: devices: replace all existing filters when attaching")
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ go.mod                                    |  2 ++
+ go.sum                                    |  4 ++++
+ libcontainer/cgroups/ebpf/ebpf_linux.go   | 19 ++++++++++++++++---
+ vendor/github.com/cilium/ebpf/syscalls.go |  5 ++---
+ vendor/modules.txt                        |  2 +-
+ 5 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index 6262a12198ca..95d14b12b36c 100644
+--- a/go.mod
+++ b/go.mod
+@@ -26,3 +26,5 @@ require (
+ 	golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
+ 	google.golang.org/protobuf v1.26.0
+ )
+
+replace github.com/cilium/ebpf => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f
+diff --git a/go.sum b/go.sum
+index 0bc7fd057207..00bb16d7ff6f 100644
+--- a/go.sum
+++ b/go.sum
+@@ -11,6 +11,10 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA
+ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
+ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1 h1:Y+9BQzEwXR1yEhvf843TRwrMgwH7ZbO3arwgZfXPhFU=
+github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f h1:MqvjlbU/U6s12v7ru6MbLKIkLlzGMDiMKYi4yGHGz2Q=
+github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+ github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
+ github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
+ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+diff --git a/libcontainer/cgroups/ebpf/ebpf_linux.go b/libcontainer/cgroups/ebpf/ebpf_linux.go
+index fccf3931d6ee..dd119ad4f7a5 100644
+--- a/libcontainer/cgroups/ebpf/ebpf_linux.go
+++ b/libcontainer/cgroups/ebpf/ebpf_linux.go
+@@ -59,13 +59,26 @@ func findAttachedCgroupDeviceFilters(dirFd int) ([]*ebpf.Program, error) {
+ 
+ 		// Convert the ids to program handles.
+ 		progIds = progIds[:size]
+-		programs := make([]*ebpf.Program, len(progIds))
+-		for idx, progId := range progIds {
+		programs := make([]*ebpf.Program, 0, len(progIds))
+		for _, progId := range progIds {
+ 			program, err := ebpf.NewProgramFromID(ebpf.ProgramID(progId))
+ 			if err != nil {
+				// We skip over programs that give us -EACCES. This is
+				// necessary because there may be BPF programs that have been
+				// attached (such as with --systemd-cgroup) which have an LSM
+				// label that blocks us from interacting with the program.
+				//
+				// Because additional BPF_CGROUP_DEVICE programs only can add
+				// restrictions, there's no real issue with just ignoring these
+				// programs (and stops runc from breaking on distributions with
+				// very strict SELinux policies).
+				if errors.Is(err, unix.EACCES) {
+					logrus.Debugf("ignoring existing CGROUP_DEVICE program (prog_id=%v) which cannot be accessed by runc -- likely due to LSM policy", progId)
+					continue
+				}
+ 				return nil, fmt.Errorf("cannot fetch program from id: %w", err)
+ 			}
+-			programs[idx] = program
+			programs = append(programs, program)
+ 		}
+ 		runtime.KeepAlive(progIds)
+ 		return programs, nil
+diff --git a/vendor/github.com/cilium/ebpf/syscalls.go b/vendor/github.com/cilium/ebpf/syscalls.go
+index c530aadd9a5b..82678eb4043d 100644
+--- a/vendor/github.com/cilium/ebpf/syscalls.go
+++ b/vendor/github.com/cilium/ebpf/syscalls.go
+@@ -360,10 +360,9 @@ func wrapObjError(err error) error {
+ 		return nil
+ 	}
+ 	if errors.Is(err, unix.ENOENT) {
+-		return fmt.Errorf("%w", ErrNotExist)
+		return ErrNotExist
+ 	}
+-
+-	return errors.New(err.Error())
+	return err
+ }
+ 
+ func wrapMapError(err error) error {
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index 6878ffcfb192..2da80d8ee4f6 100644
+--- a/vendor/modules.txt
+++ b/vendor/modules.txt
+@@ -3,7 +3,7 @@ github.com/bits-and-blooms/bitset
+ # github.com/checkpoint-restore/go-criu/v5 v5.0.0
+ github.com/checkpoint-restore/go-criu/v5
+ github.com/checkpoint-restore/go-criu/v5/rpc
+-# github.com/cilium/ebpf v0.6.1
+# github.com/cilium/ebpf v0.6.1 => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f
+ github.com/cilium/ebpf
+ github.com/cilium/ebpf/asm
+ github.com/cilium/ebpf/internal
+-- 
+2.32.0
+
--- a/runc-1.0.0-rc95.tar.xz
+++ b/runc-1.0.0-rc95.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8304b161e1c0ec2cee969b25671a147cd56cb99e6aa534371b2cfb3ec13db2c4
-size 1365712
--- a/runc-1.0.0-rc95.tar.xz.asc
+++ b/runc-1.0.0-rc95.tar.xz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmCkvH0PHGFzYXJhaUBz
-dXNlLmRlAAoJEJ4YqiZ92420w9UP/juW0QqFulvkXlEbxU/QR1GYdda4Gcv1oThr
-AtxrHnD8QnFkO3f9Dr4lwUs+jfUYu5wLmzFcqAD3EiuGqZmVjLG6uTBv0Bpq5juD
-0celQJ5QoJZ+pFieMcc3DQzDDG/qEGrqaZEuErOYv4QiBLyrUsy1iK4x/Hc+gMHw
-iegcKHbWZOVbENQKhiR5G8baMskoCcE1kxDQzHNNRfR9RkjQ3S8UH2bf5FyFQ7RL
-e93qlx1h3uWPP8gPT3f1ca7ldEeGd9C/ccWAnp5SHVhXClz72hJsvUKUPzoeKQn0
-JtA4W48vzqjjYkHTuHYAem+m3C5QuaFm2TU41vaxnEcIZTKvHcqjfxGAkleeVDEx
-zZ4TWlVf67oAkh1QVeSryHDV6f+3RuVJ3ErFzVoUA50LDXGa3FdX1Ls9oBVUNfY6
-mbQwJ6VRri+9mcRVcVvW95+e59RqFlSQorsUvxQkUZDvd1JMPi5azppdCCuZDAzq
-JBPolnxFd4Z8SOuWtdr/+R5Wp69Zvh9JwqEwLtV+sCJsZTSOZRhk6WnkDHaiUHoW
-NdGI+jCYCmpHj07tyUJg/Lx99a/NI4EwF3iBMYDpo0AhhTsbWUly+1RyLajiYR0Z
-Po4KLn3JUcuDfDwoId1Sgu4ATzIbmfSa5GHdKT3CVdlVcqJJ/2EXSLx0Ku5sjNFS
-2yaNgwwT
-=UrB6
-----END PGP SIGNATURE-----
--- a/runc-1.0.0.tar.xz
+++ b/runc-1.0.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ccdf1ac45cb1bb36eb1810457c6b1a513666958d83a96e01fff6085ba179c9f1
+size 1408812
--- a/runc-1.0.0.tar.xz.asc
+++ b/runc-1.0.0.tar.xz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDRfmEQHGFzYXJhaUBz
+dXNlLmNvbQAKCRCeGKomfduNtBtED/4hkJWG3Weah68Nkudvno1EOhEAqJsl0grl
+WL3kafqMi9S2Qg2y3qKV1Tl+KmNsLdN0jnAUN6q1hBEscott9dPGFEdfcHN/G/UW
+kG8WyIhiIQ83zB1cq5SzcBmrehl++dI6hYUPXQt6S4KKUJGh5sAwpQZxRekm5k2G
+CY+aTRksY+ZfInb988tfShuT1KycyeyqoAcIkxTkoUvR9kmONVmYovLMcah+03Wj
+gGe+xq18plkBA+mvCFXqDhH6SFTYNZ26wwOvxCRJBCtnfYAOzwHd34kmK8cOyNo
+wA/+DECOLdw7y81PRKfdmtGLWGfJfX5Z87uevM80+bwgV8Ciq+u2AQHULUV1Z0N+
+jr3cxLTEilFskwO+KHxtajA8VPFkLyMkhQdfRubE6y93Kl7lKbB3OtnfcKw76gVL
+glAFkZ1sC3XktlvBVE0QlIA34FvZusDbjQinzBFAbEH1BegLTiHL4iLs+RBr2x3l
+LDp1HZl1l+7Bf5tEH8A66dJ1IXZ50M8OdWl/6zWxJaIhSNEyBLupwLZXZx1UfcPh
+BnylxIiLZuPwlWg7SzgKrMPXkyG2r9ZzNr/7fUznq7JobbYrbzopH9BjjNSJ+BsQ
+z+Lf/UaTYRVEFQAxtdqT9PBoctf0/Nlv8dvKYB+4oxGB1J6JlYJhe8zFkSlOr/Wa
+cOCQD3T8w==
+=bgwH
+-----END PGP SIGNATURE-----
--- a/runc.changes
+++ b/runc.changes
@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Thu Jul  1 03:39:56 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Backport <https://github.com/opencontainers/runc/pull/3055> to fix issues
+  with runc under openSUSE MicroOS's SELinux policy. boo#1187704
+  + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
+
+-------------------------------------------------------------------
+Tue Jun  1 11:00:30 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.0.0. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0
+
+  ! The usage of relative paths for mountpoints will now produce a warning
+    (such configurations are outside of the spec, and in future runc will
+    produce an error when given such configurations).
+
+  * cgroupv2: devices: rework the filter generation to produce consistent
+    results with cgroupv1, and always clobber any existing eBPF
+    program(s) to fix runc update and avoid leaking eBPF programs
+    (resulting in errors when managing containers).
+  * cgroupv2: correctly convert "number of IOs" statistics in a
+    cgroupv1-compatible way.
+  * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
+  * cgroupv2: wait for freeze to finish before returning from the freezing
+    code, optimize the method for checking whether a cgroup is frozen.
+  * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
+  * cgroups/systemd: fixed returning "unit already exists" error from a systemd
+    cgroup manager (regression in rc94)
+
+  + cgroupv2: support SkipDevices with systemd driver
+  + cgroup/systemd: return, not ignore, stop unit error from Destroy
+  + Make "runc --version" output sane even when built with go get or
+    otherwise outside of our build scripts.
+  + cgroups: set SkipDevices during runc update (so we don't modify
+    cgroups at all during runc update).
+  + cgroup1: blkio: support BFQ weights.
+  + cgroupv2: set per-device io weights if BFQ IO scheduler is available.
+
 -------------------------------------------------------------------
 Wed May 19 10:00:00 UTC 2021 - Aleksa Sarai <asarai@suse.com>

--- a/runc.spec
+++ b/runc.spec
@ -25,8 +25,8 @@
 %define project github.com/opencontainers/runc

 Name:           runc
-Version:        1.0.0~rc95
-%define _version 1.0.0-rc95
+Version:        1.0.0
+%define _version 1.0.0
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
@ -36,6 +36,8 @@ Source0:        https://github.com/opencontainers/runc/releases/download/v%{_ver
 Source1:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
 Source2:        runc.keyring
 Source3:        runc-rpmlintrc
+# FIX-UPSTREAM: Backport of <https://github.com/opencontainers/runc/pull/3055>. boo#1187704
+Patch1:         boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
 BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
 # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
@ -69,6 +71,8 @@ and has grown to become a separate project entirely.

 %prep
 %setup -q -n %{name}-%{_version}
+# boo#1187704
+%patch1 -p1

 %build
 # build runc