Accepting request 818193 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/818193
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/runc?expand=0&rev=31

bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch

@@ -1,291 +0,0 @@
-From 5d13416879fe0f50c300d94c569ea77950cbee94 Mon Sep 17 00:00:00 2001
-From: Giuseppe Scrivano <gscrivan@redhat.com>
-Date: Fri, 25 May 2018 18:04:06 +0200
-Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create
-
-if NOTIFY_SOCKET is used, do not block the main runc process waiting
-for events on the notify socket.  Bind mount the parent directory of
-the notify socket, so that "start" can create the socket and it is
-still accessible from the container.
-
-Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-(cherry picked from commit 25fd4a67571992b9121f77d2a4f0d89d4375f383)
----
- notify_socket.go | 132 +++++++++++++++++++++++++++++++++--------------
- signals.go       |   4 +-
- start.go         |  13 ++++-
- utils_linux.go   |  12 ++++-
- 4 files changed, 116 insertions(+), 45 deletions(-)
-
-diff --git a/notify_socket.go b/notify_socket.go
-index e7453c62..f313a7a6 100644
---- a/notify_socket.go
-+++ b/notify_socket.go
-@@ -7,11 +7,13 @@ import (
- 	"fmt"
- 	"net"
- 	"os"
-+	"path"
- 	"path/filepath"
-+	"strconv"
-+	"time"
- 
-+	"github.com/opencontainers/runc/libcontainer"
- 	"github.com/opencontainers/runtime-spec/specs-go"
--
--	"github.com/sirupsen/logrus"
- 	"github.com/urfave/cli"
- )
- 
-@@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *
- 	}
- 
- 	root := filepath.Join(context.GlobalString("root"), id)
--	path := filepath.Join(root, "notify.sock")
-+	socketPath := filepath.Join(root, "notify", "notify.sock")
- 
- 	notifySocket := &notifySocket{
- 		socket:     nil,
- 		host:       notifySocketHost,
--		socketPath: path,
-+		socketPath: socketPath,
- 	}
- 
- 	return notifySocket
-@@ -44,13 +46,19 @@ func (s *notifySocket) Close() error {
- 
- // If systemd is supporting sd_notify protocol, this function will add support
- // for sd_notify protocol from within the container.
--func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) {
--	mount := specs.Mount{Destination: s.host, Source: s.socketPath, Options: []string{"bind"}}
-+func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) error {
-+	pathInContainer := filepath.Join("/run/notify", path.Base(s.socketPath))
-+	mount := specs.Mount{
-+		Destination: path.Dir(pathInContainer),
-+		Source:      path.Dir(s.socketPath),
-+		Options:     []string{"bind", "nosuid", "noexec", "nodev", "ro"},
-+	}
- 	spec.Mounts = append(spec.Mounts, mount)
--	spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", s.host))
-+	spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", pathInContainer))
-+	return nil
- }
- 
--func (s *notifySocket) setupSocket() error {
-+func (s *notifySocket) bindSocket() error {
- 	addr := net.UnixAddr{
- 		Name: s.socketPath,
- 		Net:  "unixgram",
-@@ -71,46 +79,92 @@ func (s *notifySocket) setupSocket() error {
- 	return nil
- }
- 
--// pid1 must be set only with -d, as it is used to set the new process as the main process
--// for the service in systemd
--func (s *notifySocket) run(pid1 int) {
--	buf := make([]byte, 512)
--	notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"}
-+func (s *notifySocket) setupSocketDirectory() error {
-+	return os.Mkdir(path.Dir(s.socketPath), 0755)
-+}
-+
-+func notifySocketStart(context *cli.Context, notifySocketHost, id string) (*notifySocket, error) {
-+	notifySocket := newNotifySocket(context, notifySocketHost, id)
-+	if notifySocket == nil {
-+		return nil, nil
-+	}
-+
-+	if err := notifySocket.bindSocket(); err != nil {
-+		return nil, err
-+	}
-+	return notifySocket, nil
-+}
-+
-+func (n *notifySocket) waitForContainer(container libcontainer.Container) error {
-+	s, err := container.State()
-+	if err != nil {
-+		return err
-+	}
-+	return n.run(s.InitProcessPid)
-+}
-+
-+func (n *notifySocket) run(pid1 int) error {
-+	if n.socket == nil {
-+		return nil
-+	}
-+	notifySocketHostAddr := net.UnixAddr{Name: n.host, Net: "unixgram"}
- 	client, err := net.DialUnix("unixgram", nil, &notifySocketHostAddr)
- 	if err != nil {
--		logrus.Error(err)
--		return
-+		return err
- 	}
--	for {
--		r, err := s.socket.Read(buf)
--		if err != nil {
--			break
--		}
--		var out bytes.Buffer
--		for _, line := range bytes.Split(buf[0:r], []byte{'\n'}) {
--			if bytes.HasPrefix(line, []byte("READY=")) {
--				_, err = out.Write(line)
--				if err != nil {
--					return
--				}
- 
--				_, err = out.Write([]byte{'\n'})
--				if err != nil {
--					return
--				}
-+	ticker := time.NewTicker(time.Millisecond * 100)
-+	defer ticker.Stop()
- 
--				_, err = client.Write(out.Bytes())
--				if err != nil {
-+	fileChan := make(chan []byte)
-+	go func() {
-+		for {
-+			buf := make([]byte, 4096)
-+			r, err := n.socket.Read(buf)
-+			if err != nil {
-+				return
-+			}
-+			got := buf[0:r]
-+			// systemd-ready sends a single datagram with the state string as payload,
-+			// so we don't need to worry about partial messages.
-+			for _, line := range bytes.Split(got, []byte{'\n'}) {
-+				if bytes.HasPrefix(got, []byte("READY=")) {
-+					fileChan <- line
- 					return
- 				}
-+			}
- 
--				// now we can inform systemd to use pid1 as the pid to monitor
--				if pid1 > 0 {
--					newPid := fmt.Sprintf("MAINPID=%d\n", pid1)
--					client.Write([]byte(newPid))
--				}
--				return
-+		}
-+	}()
-+
-+	for {
-+		select {
-+		case <-ticker.C:
-+			_, err := os.Stat(filepath.Join("/proc", strconv.Itoa(pid1)))
-+			if err != nil {
-+				return nil
- 			}
-+		case b := <-fileChan:
-+			var out bytes.Buffer
-+			_, err = out.Write(b)
-+			if err != nil {
-+				return err
-+			}
-+
-+			_, err = out.Write([]byte{'\n'})
-+			if err != nil {
-+				return err
-+			}
-+
-+			_, err = client.Write(out.Bytes())
-+			if err != nil {
-+				return err
-+			}
-+
-+			// now we can inform systemd to use pid1 as the pid to monitor
-+			newPid := fmt.Sprintf("MAINPID=%d\n", pid1)
-+			client.Write([]byte(newPid))
-+			return nil
- 		}
- 	}
- }
-diff --git a/signals.go b/signals.go
-index b67f65a0..dd25e094 100644
---- a/signals.go
-+++ b/signals.go
-@@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
- 			h.notifySocket.run(pid1)
- 			return 0, nil
- 		}
-+		h.notifySocket.run(os.Getpid())
- 		go h.notifySocket.run(0)
- 	}
- 
-@@ -97,9 +98,6 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
- 					// status because we must ensure that any of the go specific process
- 					// fun such as flushing pipes are complete before we return.
- 					process.Wait()
--					if h.notifySocket != nil {
--						h.notifySocket.Close()
--					}
- 					return e.status, nil
- 				}
- 			}
-diff --git a/start.go b/start.go
-index 2bb698b2..3a1769a4 100644
---- a/start.go
-+++ b/start.go
-@@ -3,6 +3,7 @@ package main
- import (
- 	"errors"
- 	"fmt"
-+	"os"
- 
- 	"github.com/opencontainers/runc/libcontainer"
- 	"github.com/urfave/cli"
-@@ -31,7 +32,17 @@ your host.`,
- 		}
- 		switch status {
- 		case libcontainer.Created:
--			return container.Exec()
-+			notifySocket, err := notifySocketStart(context, os.Getenv("NOTIFY_SOCKET"), container.ID())
-+			if err != nil {
-+				return err
-+			}
-+			if err := container.Exec(); err != nil {
-+				return err
-+			}
-+			if notifySocket != nil {
-+				return notifySocket.waitForContainer(container)
-+			}
-+			return nil
- 		case libcontainer.Stopped:
- 			return errors.New("cannot start a container that has stopped")
- 		case libcontainer.Running:
-diff --git a/utils_linux.go b/utils_linux.go
-index 984e6b0f..46c26246 100644
---- a/utils_linux.go
-+++ b/utils_linux.go
-@@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
- 
- 	notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id)
- 	if notifySocket != nil {
--		notifySocket.setupSpec(context, spec)
-+		if err := notifySocket.setupSpec(context, spec); err != nil {
-+			return -1, err
-+		}
- 	}
- 
- 	container, err := createContainer(context, id, spec)
-@@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
- 	}
- 
- 	if notifySocket != nil {
--		err := notifySocket.setupSocket()
-+		err := notifySocket.setupSocketDirectory()
- 		if err != nil {
- 			return -1, err
- 		}
-+		if action == CT_ACT_RUN {
-+			err := notifySocket.bindSocket()
-+			if err != nil {
-+				return -1, err
-+			}
-+		}
- 	}
- 
- 	// Support on-demand socket activation by passing file descriptors into the container init process.
--- 
-2.25.1
-

runc-1.0.0-rc10.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c823307ce8695af05381c5c25a92daacd6219c674d8bebaa0e1bff801c2b1f24
-size 743480

runc-1.0.0-rc10.tar.xz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJDBAABCAAtFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl4pJHYPHGFzYXJhaUBz
-dXNlLmRlAAoJEJ4YqiZ92420DgkP/2zEWRsjx/qNMFnwOo6yYy+sGeQn8KMmEQRD
-9OpX+mF6BtIMICQ9ocenYjTkwzd7UVq4SC1VXFKBZQgchlH4X+5RT89AUiFePRsi
-jsEP5Cwr/5xDBhW6gvwh5V1Z+XzdxTb4lNuodoFm0OucNoFGp7vCbKmfgxqY/m66
-9R23tKouot0y6q1sSBG2lLwwmj7JAQboxtVA+dTEzmhnEyfh0UzBlJKDW1I79mbE
-NeD1r/Rh/NVrJL6HaKfXhdVvITVyeabQLBgj0Y/JYVCWMfyXnz7sBJQ7lrwtVV+P
-9qROtwSu15vOLi9d2u+U8SwjAmDz01kLH3rYji/Xtie3xk8i/8yD9q8lFjA3fbu5
-IOs1vogsWt6yMWRnXHWbBxMmtOw+RQJ/gyUpCJE5MeMQNHPsZ6wYbMXTfzdqFnse
-bTkOHPPIRqnK6mDT0b3CoS7Ugi8qZs2lZ8CvVoOeTqaCMb5SIWehF7jIbo0ECzGf
-TQ0cZ982M03Rm4NjI7G5SCKIpJPEtOYS0NauOn6oqdDON9qCJVZdecCfdWYdEO1n
-ikpea7Ahc5x0g9p0WF+HsewvqpMpWUdCsVmLPiwJrBG2GFOC3oPvB2vjKUk28ix1
-3B7v3JS/XHlokRPMEkJn+zR7CVWchaT7Ov+3AHM9VCjk5dgNdADF3y7DYG8Q/ccV
-TZGdkemL
-=UoY/
------END PGP SIGNATURE-----

runc-1.0.0-rc91.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:218bfeb626b729a686e5df1216410a19d3147185109a481ea68a0c0cb872074a
+size 1123984

runc-1.0.0-rc91.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAl79NOcACgkQnhiqJn3b
+jbR4xBAAtu5FwyYuHBiy2g7piPnnHjD3LNJ10DTvJXnNzxncipZjv6m5EERuiaiH
+ugtl06dNfMB1A7e+faI5JMsHcjqnOlzcDTs5RHjNV/lvCfCjvAIYsjn56HmSF56U
+wrnOa7buXrGykUBPPJwRe6oJM/Rq8E+L1FbO4yxzAU94H6iFZTJUY6YgAMndXy91
++lAxu47ehohQ27rbdhMUgm/HELsskN401+bYFGMMTq24vEHlJ56pNeZHKisaLOrI
+6iVJhT0VpEjGJJhChHDLOx5b22Dfq3SzAd2189SymJTas8CaRWhADeHSSHYGY9UC
+VDtDpwUtlLJIksQSTdcPuBuKbfIy0zHYCn+sowklRlMQz8tUbO+xXuOhX5k3dLe8
+F+k/+NU9lxBZsp/MKkBzC1YaBDOHD95wI7Lc0iT0LIZCYXg8pWUbVfuPSFBx8cCA
+/uyp3WnrK5gsZHMFEMCrFkBL+y0XB45Fo5Y6cKpPRuOGOjvSIAP2PvHHM78oE8Ax
+LJxEmLp7thJTNFoVVlp8pPfnkZqsj+/8a9j5jjZra9c0WIC6gYkXgida70Oq9yxj
+7AGiK+o7XS3dqzynHHSODsQu89i1zwSrkFbqIgsfem2JTc2NRJV/ouCBhKatjuSW
+YbGcXH7NNeXSWb67TmKhUgQihBainYU5L5W0Y6M4/9mu73R5tG4=
+=Af6r
+-----END PGP SIGNATURE-----

runc.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Thu Jul  2 01:24:49 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Upgrade to runc v1.0.0~rc91. Upstream changelog is available from
+  https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc91
+
+  * This release of runc has experimental support for cgroupv2-only systems.
+
+- Remove upstreamed patches:
+  - bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
+  - bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch
+
+-------------------------------------------------------------------
+Thu Jun 25 22:34:03 UTC 2020 - Aleksa Sarai <asarai@suse.com>
+
+- Switch to Go 1.13 for build.
+
 -------------------------------------------------------------------
 Wed May 13 06:49:44 UTC 2020 - Aleksa Sarai <asarai@suse.com>
 

runc.spec

@@ -22,9 +22,9 @@
 %define git_version %{nil}
 
 # Package-wide golang version
-%define go_version 1.10
+%define go_version 1.13
 %define go_tool go
-%define _version 1.0.0-rc10
+%define _version 1.0.0-rc91
 %define project github.com/opencontainers/runc
 
 # enable libseccomp for sle >= sle12sp2
@@ -41,7 +41,7 @@
 %endif
 
 Name:           runc
-Version:        1.0.0~rc10
+Version:        1.0.0~rc91
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
@@ -51,13 +51,11 @@ Source0:        https://github.com/opencontainers/runc/releases/download/v%{_ver
 Source1:        https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc
 Source2:        runc.keyring
 Source3:        runc-rpmlintrc
-# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/1807. bsc#1149954
-Patch0:         bsc1149954-0001-sd-notify-do-not-hang-when-NOTIFY_SOCKET-is-used-wit.patch
-# FIX-UPSTREAM: Backport of https://github.com/opencontainers/runc/pull/2391. bsc#1168481
-Patch1:         bsc1168481-0001-cgroup-devices-major-cleanups-and-minimal-transition.patch
 BuildRequires:  fdupes
 BuildRequires:  go-go-md2man
-BuildRequires:  golang(API) >= %{go_version}
+# Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
+# for 'golang(API) >= 1.x' here, so just require 1.x exactly. bsc#1172608
+BuildRequires:  go%{go_version}
 %if 0%{?with_libseccomp}
 BuildRequires:  libseccomp-devel
 %endif
@@ -73,7 +71,7 @@ and has grown to become a separate project entirely.
 %package test
 Summary:        Test package for runc
 Group:          System/Management
-BuildRequires:  golang(API) >= %{go_version}
+BuildRequires:  go%{go_version}
 %if 0%{?with_libseccomp}
 BuildRequires:  libseccomp-devel
 %endif
@@ -88,10 +86,6 @@ Test package for runc. It contains the source code and the tests.
 
 %prep
 %setup -q -n %{name}-%{_version}
-# bsc#1149954
-%patch0 -p1
-# bsc#1168481
-%patch1 -p1
 
 %build
 # Do not use symlinks. If you want to run the unit tests for this package at