SHA256
1
0
forked from pool/runc

Accepting request 907285 from home:cyphar:docker

- Update to runc v1.0.1. Upstream changelog is available from
  https://github.com/opencontainers/runc/releases/tag/v1.0.1

  * Fixed occasional runc exec/run failure ("interrupted system call") on an
    Azure volume.
  * Fixed "unable to find groups ... token too long" error with /etc/group
    containing lines longer than 64K characters.
  * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
    frozen. This is a regression in 1.0.0, not affecting runc itself but some
    of libcontainer users (e.g Kubernetes).
  * cgroupv2: bpf: Ignore inaccessible existing programs in case of
    permission error when handling replacement of existing bpf cgroup
    programs. This fixes a regression in 1.0.0, where some SELinux
    policies would block runc from being able to run entirely.
  * cgroup/systemd/v2: don't freeze cgroup on Set.
  * cgroup/systemd/v1: avoid unnecessary freeze on Set.

- Remove upstreamed patches:
  + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch

OBS-URL: https://build.opensuse.org/request/show/907285
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/runc?expand=0&rev=116
This commit is contained in:
Aleksa Sarai 2021-07-20 09:40:45 +00:00 committed by Git OBS Bridge
parent 5eef441a29
commit bb50268589
7 changed files with 50 additions and 159 deletions

View File

@ -1,123 +0,0 @@
From e54bd299f9e170fe35041c839ab90206f02e4df0 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Thu, 1 Jul 2021 12:55:08 +1000
Subject: [PATCH] cgroupv2: ebpf: ignore inaccessible existing programs
This is necessary in order for runc to be able to configure device
cgroups with --systemd-cgroup on distributions that have very strict
SELinux policies such as openSUSE MicroOS[1].
The core issue here is that systemd is adding its own BPF policy that
has an SELinux label such that runc cannot interact with it. In order to
work around this, we can just ignore the policy -- in theory this
behaviour is not correct but given that the most obvious case
(--systemd-cgroup) will still handle updates correctly, this logic is
reasonable.
(This also contains a backport of [2].)
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428
[2]: https://github.com/cilium/ebpf/pull/334
Fixes: d0f2c25f521e ("cgroup2: devices: replace all existing filters when attaching")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
go.mod | 2 ++
go.sum | 4 ++++
libcontainer/cgroups/ebpf/ebpf_linux.go | 19 ++++++++++++++++---
vendor/github.com/cilium/ebpf/syscalls.go | 5 ++---
vendor/modules.txt | 2 +-
5 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/go.mod b/go.mod
index 6262a12198ca..95d14b12b36c 100644
--- a/go.mod
+++ b/go.mod
@@ -26,3 +26,5 @@ require (
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
google.golang.org/protobuf v1.26.0
)
+
+replace github.com/cilium/ebpf => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f
diff --git a/go.sum b/go.sum
index 0bc7fd057207..00bb16d7ff6f 100644
--- a/go.sum
+++ b/go.sum
@@ -11,6 +11,10 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA
github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1 h1:Y+9BQzEwXR1yEhvf843TRwrMgwH7ZbO3arwgZfXPhFU=
+github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f h1:MqvjlbU/U6s12v7ru6MbLKIkLlzGMDiMKYi4yGHGz2Q=
+github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
diff --git a/libcontainer/cgroups/ebpf/ebpf_linux.go b/libcontainer/cgroups/ebpf/ebpf_linux.go
index fccf3931d6ee..dd119ad4f7a5 100644
--- a/libcontainer/cgroups/ebpf/ebpf_linux.go
+++ b/libcontainer/cgroups/ebpf/ebpf_linux.go
@@ -59,13 +59,26 @@ func findAttachedCgroupDeviceFilters(dirFd int) ([]*ebpf.Program, error) {
// Convert the ids to program handles.
progIds = progIds[:size]
- programs := make([]*ebpf.Program, len(progIds))
- for idx, progId := range progIds {
+ programs := make([]*ebpf.Program, 0, len(progIds))
+ for _, progId := range progIds {
program, err := ebpf.NewProgramFromID(ebpf.ProgramID(progId))
if err != nil {
+ // We skip over programs that give us -EACCES. This is
+ // necessary because there may be BPF programs that have been
+ // attached (such as with --systemd-cgroup) which have an LSM
+ // label that blocks us from interacting with the program.
+ //
+ // Because additional BPF_CGROUP_DEVICE programs only can add
+ // restrictions, there's no real issue with just ignoring these
+ // programs (and stops runc from breaking on distributions with
+ // very strict SELinux policies).
+ if errors.Is(err, unix.EACCES) {
+ logrus.Debugf("ignoring existing CGROUP_DEVICE program (prog_id=%v) which cannot be accessed by runc -- likely due to LSM policy", progId)
+ continue
+ }
return nil, fmt.Errorf("cannot fetch program from id: %w", err)
}
- programs[idx] = program
+ programs = append(programs, program)
}
runtime.KeepAlive(progIds)
return programs, nil
diff --git a/vendor/github.com/cilium/ebpf/syscalls.go b/vendor/github.com/cilium/ebpf/syscalls.go
index c530aadd9a5b..82678eb4043d 100644
--- a/vendor/github.com/cilium/ebpf/syscalls.go
+++ b/vendor/github.com/cilium/ebpf/syscalls.go
@@ -360,10 +360,9 @@ func wrapObjError(err error) error {
return nil
}
if errors.Is(err, unix.ENOENT) {
- return fmt.Errorf("%w", ErrNotExist)
+ return ErrNotExist
}
-
- return errors.New(err.Error())
+ return err
}
func wrapMapError(err error) error {
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 6878ffcfb192..2da80d8ee4f6 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -3,7 +3,7 @@ github.com/bits-and-blooms/bitset
# github.com/checkpoint-restore/go-criu/v5 v5.0.0
github.com/checkpoint-restore/go-criu/v5
github.com/checkpoint-restore/go-criu/v5/rpc
-# github.com/cilium/ebpf v0.6.1
+# github.com/cilium/ebpf v0.6.1 => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f
github.com/cilium/ebpf
github.com/cilium/ebpf/asm
github.com/cilium/ebpf/internal
--
2.32.0

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ccdf1ac45cb1bb36eb1810457c6b1a513666958d83a96e01fff6085ba179c9f1
size 1408812

View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDRfmEQHGFzYXJhaUBz
dXNlLmNvbQAKCRCeGKomfduNtBtED/4hkJWG3Weah68Nkudvno1EOhEAqJsl0grl
WL3kafqMi9S2Qg2y3qKV1Tl+KmNsLdN0jnAUN6q1hBEscott9dPGFEdfcHN/G/UW
kG8WyIhiIQ83zB1cq5SzcBmrehl++dI6hYUPXQt6S4KKUJGh5sAwpQZxRekm5k2G
CY+aTRksY+ZfInb988tfShuT1KycyeyqoAcIkxTkoUvR9kmONVmYovLMcah+03Wj
+gGe+xq18plkBA+mvCFXqDhH6SFTYNZ26wwOvxCRJBCtnfYAOzwHd34kmK8cOyNo
wA/+DECOLdw7y81PRKfdmtGLWGfJfX5Z87uevM80+bwgV8Ciq+u2AQHULUV1Z0N+
jr3cxLTEilFskwO+KHxtajA8VPFkLyMkhQdfRubE6y93Kl7lKbB3OtnfcKw76gVL
glAFkZ1sC3XktlvBVE0QlIA34FvZusDbjQinzBFAbEH1BegLTiHL4iLs+RBr2x3l
LDp1HZl1l+7Bf5tEH8A66dJ1IXZ50M8OdWl/6zWxJaIhSNEyBLupwLZXZx1UfcPh
BnylxIiLZuPwlWg7SzgKrMPXkyG2r9ZzNr/7fUznq7JobbYrbzopH9BjjNSJ+BsQ
z+Lf/UaTYRVEFQAxtdqT9PBoctf0/Nlv8dvKYB+4oxGB1J6JlYJhe8zFkSlOr/Wa
+cOCQD3T8w==
=bgwH
-----END PGP SIGNATURE-----

3
runc-1.0.1.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7401a8be2556490074418c4b04c6e0584854ff15e899da9ebeb6d22abd877323
size 1413044

17
runc-1.0.1.tar.xz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmDxG6kPHGFzYXJhaUBz
dXNlLmRlAAoJEJ4YqiZ92420yKAQAKZV7fEQI2w7G0e+YCXD8dT6jmKxT5Fo18qK
Pujzt/bpYmj8EthYM2wUYzfT7UBpxs5PoeREiC+hVMaMog1jPbRj9D03MGGOQxaK
vLU6jNZWVAjXo0nVVjOY87u4sX5w9+ctWDFKcXSCDcyhCsSDlutXMtTIuU2KDbr5
NkQWhmnWpZjtHeWT9ueeKEmJ6dO0X+uP03W7cLzcunqkSxhrQEEWQsKSJlwPiVL1
E8BfMqovKNMnOAluydQZNtPFvBHqDjWiYJhZ88c52k/WW+whDsDYikID451nwAY9
vZnsCowu5Wv6aASTRr11cTVEo6lH429rkoKcnZlE+K7nd10rge9uiDIQimW1Bp7l
Z4b1xYjY3QYf4f0zO2XMA0dr0pZLBhf8vnoqjtG4Xzg9ghjQaloY5lvsSYlmFU5L
8nESnK5FwHnSSOi30bZBfEvCAM6HLa1NGSzKDmMuNFeXZPzCKOivp4uLtC880ePi
DiiMhGiupqucdee07xxcVfRc1BF72CNUDrl7r1hnsbzg7NueVSCldON4EmkzUhcc
r5Q9goUPThBc7yndQWztAKygGqVikfoeqWczzW/C1129mimlMRM8rPZMs2ewNBg8
uPdh8uDCBP1RekQpleYZE+ipchFxd51dpYg6m7qmdlleq5DLwqn6AuM85FO6hCeV
zMqCcAz9
=23qD
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Sun Jul 18 02:40:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to runc v1.0.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.1
* Fixed occasional runc exec/run failure ("interrupted system call") on an
Azure volume.
* Fixed "unable to find groups ... token too long" error with /etc/group
containing lines longer than 64K characters.
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
frozen. This is a regression in 1.0.0, not affecting runc itself but some
of libcontainer users (e.g Kubernetes).
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux
policies would block runc from being able to run entirely.
* cgroup/systemd/v2: don't freeze cgroup on Set.
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
- Remove upstreamed patches:
+ boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
-------------------------------------------------------------------
Thu Jul 1 03:39:56 UTC 2021 - Aleksa Sarai <asarai@suse.com>

View File

@ -18,15 +18,15 @@
# MANUAL: Make sure you update this each time you update runc.
%define git_version 12644e614e25b05da6fd08a38ffa0cfe1903fdec
%define git_version 4144b63817ebcc5b358fc2c8ef95f7cddd709aa7
# Package-wide golang version
%define go_version 1.13
%define project github.com/opencontainers/runc
Name: runc
Version: 1.0.0
%define _version 1.0.0
Version: 1.0.1
%define _version 1.0.1
Release: 0
Summary: Tool for spawning and running OCI containers
License: Apache-2.0
@ -36,8 +36,6 @@ Source0: https://github.com/opencontainers/runc/releases/download/v%{_ver
Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
Source2: runc.keyring
Source3: runc-rpmlintrc
# FIX-UPSTREAM: Backport of <https://github.com/opencontainers/runc/pull/3055>. boo#1187704
Patch1: boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch
BuildRequires: fdupes
BuildRequires: go-go-md2man
# Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
@ -49,17 +47,12 @@ Recommends: criu
# There used to be a docker-runc package which was specifically for Docker.
# Since Docker now tracks upstream more consistently, we use the same package
# but we need to obsolete the old one. bsc#1181677
# NOTE: We can't use the package version here because docker-runc used a
# different versioning scheme by accident (1.0.0rc92 vs 1.0.0~rc92 -- and
# GNU sort considers the former to be newer than the latter, in fact
# 1.0.0rc92 is newer than 1.0.0 according to GNU sort). So we invent a
# fake 1.0.0.1 version.
Obsoletes: docker-runc < 1.0.0.1
Provides: docker-runc = 1.0.0.1.%{version}
Obsoletes: docker-runc < %{version}
Provides: docker-runc = %{version}
# KUBIC-SPECIFIC: There used to be a kubic-specific docker-runc package, but
# now it's been merged into the one package. bsc#1181677
Obsoletes: docker-runc-kubic < 1.0.0.1
Provides: docker-runc-kubic = 1.0.0.1.%{version}
Obsoletes: docker-runc-kubic < %{version}
Provides: docker-runc-kubic = %{version}
Obsoletes: docker-runc = 0.1.1+gitr2819_50a19c6
Obsoletes: docker-runc_50a19c6
@ -71,8 +64,6 @@ and has grown to become a separate project entirely.
%prep
%setup -q -n %{name}-%{_version}
# boo#1187704
%patch1 -p1
%build
# build runc