From 0b604a862b46f09039ca234e05fc5f84d09b32c51937e401166df59be1c47f27 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 22 Jun 2021 06:34:42 +0000 Subject: [PATCH 1/3] Accepting request 901272 from home:cyphar:docker - Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert "number of IOs" statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 * cgroups/systemd: fixed returning "unit already exists" error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make "runc --version" output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. OBS-URL: https://build.opensuse.org/request/show/901272 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=113 --- runc-1.0.0-rc95.tar.xz | 3 --- runc-1.0.0-rc95.tar.xz.asc | 17 ----------------- runc-1.0.0.tar.xz | 3 +++ runc-1.0.0.tar.xz.asc | 17 +++++++++++++++++ runc.changes | 32 ++++++++++++++++++++++++++++++++ runc.spec | 4 ++-- 6 files changed, 54 insertions(+), 22 deletions(-) delete mode 100644 runc-1.0.0-rc95.tar.xz delete mode 100644 runc-1.0.0-rc95.tar.xz.asc create mode 100644 runc-1.0.0.tar.xz create mode 100644 runc-1.0.0.tar.xz.asc diff --git a/runc-1.0.0-rc95.tar.xz b/runc-1.0.0-rc95.tar.xz deleted file mode 100644 index fe61511..0000000 --- a/runc-1.0.0-rc95.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8304b161e1c0ec2cee969b25671a147cd56cb99e6aa534371b2cfb3ec13db2c4 -size 1365712 diff --git a/runc-1.0.0-rc95.tar.xz.asc b/runc-1.0.0-rc95.tar.xz.asc deleted file mode 100644 index 25089a9..0000000 --- a/runc-1.0.0-rc95.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmCkvH0PHGFzYXJhaUBz -dXNlLmRlAAoJEJ4YqiZ92420w9UP/juW0QqFulvkXlEbxU/QR1GYdda4Gcv1oThr -AtxrHnD8QnFkO3f9Dr4lwUs+jfUYu5wLmzFcqAD3EiuGqZmVjLG6uTBv0Bpq5juD -0celQJ5QoJZ+pFieMcc3DQzDDG/qEGrqaZEuErOYv4QiBLyrUsy1iK4x/Hc+gMHw -iegcKHbWZOVbENQKhiR5G8baMskoCcE1kxDQzHNNRfR9RkjQ3S8UH2bf5FyFQ7RL -e93qlx1h3uWPP8gPT3f1ca7ldEeGd9C/ccWAnp5SHVhXClz72hJsvUKUPzoeKQn0 -JtA4W48vzqjjYkHTuHYAem+m3C5QuaFm2TU41vaxnEcIZTKvHcqjfxGAkleeVDEx -zZ4TWlVf67oAkh1QVeSryHDV6f+3RuVJ3ErFzVoUA50LDXGa3FdX1Ls9oBVUNfY6 -mbQwJ6VRri+9mcRVcVvW95+e59RqFlSQorsUvxQkUZDvd1JMPi5azppdCCuZDAzq -JBPolnxFd4Z8SOuWtdr/+R5Wp69Zvh9JwqEwLtV+sCJsZTSOZRhk6WnkDHaiUHoW -NdGI+jCYCmpHj07tyUJg/Lx99a/NI4EwF3iBMYDpo0AhhTsbWUly+1RyLajiYR0Z -Po4KLn3JUcuDfDwoId1Sgu4ATzIbmfSa5GHdKT3CVdlVcqJJ/2EXSLx0Ku5sjNFS -2yaNgwwT -=UrB6 ------END PGP SIGNATURE----- diff --git a/runc-1.0.0.tar.xz b/runc-1.0.0.tar.xz new file mode 100644 index 0000000..b831932 --- /dev/null +++ b/runc-1.0.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ccdf1ac45cb1bb36eb1810457c6b1a513666958d83a96e01fff6085ba179c9f1 +size 1408812 diff --git a/runc-1.0.0.tar.xz.asc b/runc-1.0.0.tar.xz.asc new file mode 100644 index 0000000..08442bb --- /dev/null +++ b/runc-1.0.0.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDRfmEQHGFzYXJhaUBz +dXNlLmNvbQAKCRCeGKomfduNtBtED/4hkJWG3Weah68Nkudvno1EOhEAqJsl0grl +WL3kafqMi9S2Qg2y3qKV1Tl+KmNsLdN0jnAUN6q1hBEscott9dPGFEdfcHN/G/UW +kG8WyIhiIQ83zB1cq5SzcBmrehl++dI6hYUPXQt6S4KKUJGh5sAwpQZxRekm5k2G +CY+aTRksY+ZfInb988tfShuT1KycyeyqoAcIkxTkoUvR9kmONVmYovLMcah+03Wj ++gGe+xq18plkBA+mvCFXqDhH6SFTYNZ26wwOvxCRJBCtnfYAOzwHd34kmK8cOyNo +wA/+DECOLdw7y81PRKfdmtGLWGfJfX5Z87uevM80+bwgV8Ciq+u2AQHULUV1Z0N+ +jr3cxLTEilFskwO+KHxtajA8VPFkLyMkhQdfRubE6y93Kl7lKbB3OtnfcKw76gVL +glAFkZ1sC3XktlvBVE0QlIA34FvZusDbjQinzBFAbEH1BegLTiHL4iLs+RBr2x3l +LDp1HZl1l+7Bf5tEH8A66dJ1IXZ50M8OdWl/6zWxJaIhSNEyBLupwLZXZx1UfcPh +BnylxIiLZuPwlWg7SzgKrMPXkyG2r9ZzNr/7fUznq7JobbYrbzopH9BjjNSJ+BsQ +z+Lf/UaTYRVEFQAxtdqT9PBoctf0/Nlv8dvKYB+4oxGB1J6JlYJhe8zFkSlOr/Wa ++cOCQD3T8w== +=bgwH +-----END PGP SIGNATURE----- diff --git a/runc.changes b/runc.changes index 74d9d19..4df2350 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,35 @@ +------------------------------------------------------------------- +Tue Jun 1 11:00:30 UTC 2021 - Aleksa Sarai + +- Update to runc v1.0.0. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0 + + ! The usage of relative paths for mountpoints will now produce a warning + (such configurations are outside of the spec, and in future runc will + produce an error when given such configurations). + + * cgroupv2: devices: rework the filter generation to produce consistent + results with cgroupv1, and always clobber any existing eBPF + program(s) to fix runc update and avoid leaking eBPF programs + (resulting in errors when managing containers). + * cgroupv2: correctly convert "number of IOs" statistics in a + cgroupv1-compatible way. + * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. + * cgroupv2: wait for freeze to finish before returning from the freezing + code, optimize the method for checking whether a cgroup is frozen. + * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 + * cgroups/systemd: fixed returning "unit already exists" error from a systemd + cgroup manager (regression in rc94) + + + cgroupv2: support SkipDevices with systemd driver + + cgroup/systemd: return, not ignore, stop unit error from Destroy + + Make "runc --version" output sane even when built with go get or + otherwise outside of our build scripts. + + cgroups: set SkipDevices during runc update (so we don't modify + cgroups at all during runc update). + + cgroup1: blkio: support BFQ weights. + + cgroupv2: set per-device io weights if BFQ IO scheduler is available. + ------------------------------------------------------------------- Wed May 19 10:00:00 UTC 2021 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index 57d31a4..ed54ec3 100644 --- a/runc.spec +++ b/runc.spec @@ -25,8 +25,8 @@ %define project github.com/opencontainers/runc Name: runc -Version: 1.0.0~rc95 -%define _version 1.0.0-rc95 +Version: 1.0.0 +%define _version 1.0.0 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 From 53ec3e18349a61fdf61553e55d23c3e62fee0bf595cb8d178d9bd26b528b52c5 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 1 Jul 2021 06:17:25 +0000 Subject: [PATCH 2/3] Accepting request 903342 from home:cyphar:docker - Backport to fix issues with runc under openSUSE MicroOS's SELinux policy. boo#1187704 + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch OBS-URL: https://build.opensuse.org/request/show/903342 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=114 --- ...gnore-inaccessible-existing-programs.patch | 123 ++++++++++++++++++ runc.changes | 7 + runc.spec | 4 + 3 files changed, 134 insertions(+) create mode 100644 boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch diff --git a/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch b/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch new file mode 100644 index 0000000..63675a9 --- /dev/null +++ b/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch @@ -0,0 +1,123 @@ +From 1f0f25356e7616869eb68a137eee22d9adc204b2 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 1 Jul 2021 12:55:08 +1000 +Subject: [PATCH] cgroupv2: ebpf: ignore inaccessible existing programs + +This is necessary in order for runc to be able to configure device +cgroups with --systemd-cgroup on distributions that have very strict +SELinux policies such as openSUSE MicroOS[1]. + +The core issue here is that systemd is adding its own BPF policy that +has an SELinux label such that runc cannot interact with it. In order to +work around this, we can just ignore the policy -- in theory this +behaviour is not correct but given that the most obvious case +(--systemd-cgroup) will still handle updates correctly, this logic is +reasonable. + +(This also contains a backport of [2].) + +[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428 +[2]: https://github.com/cilium/ebpf/pull/334 + +Fixes: d0f2c25f521e ("cgroup2: devices: replace all existing filters when attaching") +Signed-off-by: Aleksa Sarai +--- + go.mod | 2 ++ + go.sum | 4 ++++ + libcontainer/cgroups/ebpf/ebpf_linux.go | 19 ++++++++++++++++--- + vendor/github.com/cilium/ebpf/syscalls.go | 5 ++--- + vendor/modules.txt | 2 +- + 5 files changed, 25 insertions(+), 7 deletions(-) + +diff --git a/go.mod b/go.mod +index df98934d3d50..b155440e1e32 100644 +--- a/go.mod ++++ b/go.mod +@@ -25,3 +25,5 @@ require ( + golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 + google.golang.org/protobuf v1.27.1 + ) ++ ++replace github.com/cilium/ebpf => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f +diff --git a/go.sum b/go.sum +index 15d3ac3fa791..413f1361ece6 100644 +--- a/go.sum ++++ b/go.sum +@@ -11,6 +11,10 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA + github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= + github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY= + github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= ++github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1 h1:Y+9BQzEwXR1yEhvf843TRwrMgwH7ZbO3arwgZfXPhFU= ++github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= ++github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f h1:MqvjlbU/U6s12v7ru6MbLKIkLlzGMDiMKYi4yGHGz2Q= ++github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= + github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= + github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= + github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +diff --git a/libcontainer/cgroups/ebpf/ebpf_linux.go b/libcontainer/cgroups/ebpf/ebpf_linux.go +index fa1b04e25991..b4141aaf6699 100644 +--- a/libcontainer/cgroups/ebpf/ebpf_linux.go ++++ b/libcontainer/cgroups/ebpf/ebpf_linux.go +@@ -59,13 +59,26 @@ func findAttachedCgroupDeviceFilters(dirFd int) ([]*ebpf.Program, error) { + + // Convert the ids to program handles. + progIds = progIds[:size] +- programs := make([]*ebpf.Program, len(progIds)) +- for idx, progId := range progIds { ++ programs := make([]*ebpf.Program, 0, len(progIds)) ++ for _, progId := range progIds { + program, err := ebpf.NewProgramFromID(ebpf.ProgramID(progId)) + if err != nil { ++ // We skip over programs that give us -EACCES. This is ++ // necessary because there may be BPF programs that have been ++ // attached (such as with --systemd-cgroup) which have an LSM ++ // label that blocks us from interacting with the program. ++ // ++ // Because additional BPF_CGROUP_DEVICE programs only can add ++ // restrictions, there's no real issue with just ignoring these ++ // programs (and stops runc from breaking on distributions with ++ // very strict SELinux policies). ++ if errors.Is(err, unix.EACCES) { ++ logrus.Debugf("ignoring existing CGROUP_DEVICE program (prog_id=%v) which cannot be accessed by runc -- likely due to LSM policy", progId) ++ continue ++ } + return nil, fmt.Errorf("cannot fetch program from id: %w", err) + } +- programs[idx] = program ++ programs = append(programs, program) + } + runtime.KeepAlive(progIds) + return programs, nil +diff --git a/vendor/github.com/cilium/ebpf/syscalls.go b/vendor/github.com/cilium/ebpf/syscalls.go +index c530aadd9a5b..82678eb4043d 100644 +--- a/vendor/github.com/cilium/ebpf/syscalls.go ++++ b/vendor/github.com/cilium/ebpf/syscalls.go +@@ -360,10 +360,9 @@ func wrapObjError(err error) error { + return nil + } + if errors.Is(err, unix.ENOENT) { +- return fmt.Errorf("%w", ErrNotExist) ++ return ErrNotExist + } +- +- return errors.New(err.Error()) ++ return err + } + + func wrapMapError(err error) error { +diff --git a/vendor/modules.txt b/vendor/modules.txt +index 8c99aca8c125..7797d5acecb5 100644 +--- a/vendor/modules.txt ++++ b/vendor/modules.txt +@@ -3,7 +3,7 @@ github.com/bits-and-blooms/bitset + # github.com/checkpoint-restore/go-criu/v5 v5.0.0 + github.com/checkpoint-restore/go-criu/v5 + github.com/checkpoint-restore/go-criu/v5/rpc +-# github.com/cilium/ebpf v0.6.1 ++# github.com/cilium/ebpf v0.6.1 => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f + github.com/cilium/ebpf + github.com/cilium/ebpf/asm + github.com/cilium/ebpf/internal +-- +2.32.0 + diff --git a/runc.changes b/runc.changes index 4df2350..7eb2b8a 100644 --- a/runc.changes +++ b/runc.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jul 1 03:39:56 UTC 2021 - Aleksa Sarai + +- Backport to fix issues + with runc under openSUSE MicroOS's SELinux policy. boo#1187704 + + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch + ------------------------------------------------------------------- Tue Jun 1 11:00:30 UTC 2021 - Aleksa Sarai diff --git a/runc.spec b/runc.spec index ed54ec3..fc9569d 100644 --- a/runc.spec +++ b/runc.spec @@ -36,6 +36,8 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{_ver Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring Source3: runc-rpmlintrc +# FIX-UPSTREAM: Backport of . boo#1187704 +Patch1: boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch BuildRequires: fdupes BuildRequires: go-go-md2man # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires @@ -69,6 +71,8 @@ and has grown to become a separate project entirely. %prep %setup -q -n %{name}-%{_version} +# boo#1187704 +%patch1 -p1 %build # build runc From 6a4e9d3d6c680f5d84cf4b8cbfaa8c8f3b7c3d1fe289ca5a2caf1626c81c7733 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 1 Jul 2021 10:36:06 +0000 Subject: [PATCH 3/3] Accepting request 903380 from home:cyphar:docker Cherry-pick patch correctly so it applies cleanly... OBS-URL: https://build.opensuse.org/request/show/903380 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=115 --- ...bpf-ignore-inaccessible-existing-programs.patch | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch b/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch index 63675a9..fa3abb5 100644 --- a/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch +++ b/boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch @@ -1,4 +1,4 @@ -From 1f0f25356e7616869eb68a137eee22d9adc204b2 Mon Sep 17 00:00:00 2001 +From e54bd299f9e170fe35041c839ab90206f02e4df0 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 1 Jul 2021 12:55:08 +1000 Subject: [PATCH] cgroupv2: ebpf: ignore inaccessible existing programs @@ -30,17 +30,17 @@ Signed-off-by: Aleksa Sarai 5 files changed, 25 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod -index df98934d3d50..b155440e1e32 100644 +index 6262a12198ca..95d14b12b36c 100644 --- a/go.mod +++ b/go.mod -@@ -25,3 +25,5 @@ require ( +@@ -26,3 +26,5 @@ require ( golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 - google.golang.org/protobuf v1.27.1 + google.golang.org/protobuf v1.26.0 ) + +replace github.com/cilium/ebpf => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f diff --git a/go.sum b/go.sum -index 15d3ac3fa791..413f1361ece6 100644 +index 0bc7fd057207..00bb16d7ff6f 100644 --- a/go.sum +++ b/go.sum @@ -11,6 +11,10 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA @@ -55,7 +55,7 @@ index 15d3ac3fa791..413f1361ece6 100644 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= diff --git a/libcontainer/cgroups/ebpf/ebpf_linux.go b/libcontainer/cgroups/ebpf/ebpf_linux.go -index fa1b04e25991..b4141aaf6699 100644 +index fccf3931d6ee..dd119ad4f7a5 100644 --- a/libcontainer/cgroups/ebpf/ebpf_linux.go +++ b/libcontainer/cgroups/ebpf/ebpf_linux.go @@ -59,13 +59,26 @@ func findAttachedCgroupDeviceFilters(dirFd int) ([]*ebpf.Program, error) { @@ -106,7 +106,7 @@ index c530aadd9a5b..82678eb4043d 100644 func wrapMapError(err error) error { diff --git a/vendor/modules.txt b/vendor/modules.txt -index 8c99aca8c125..7797d5acecb5 100644 +index 6878ffcfb192..2da80d8ee4f6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -3,7 +3,7 @@ github.com/bits-and-blooms/bitset