Comparing changes
Open a pull request
base repository: opencontainers/runc
base: v1.1.3
head repository: opencontainers/runc
compare: v1.1.4
- 20 commits
- 16 files changed
- 5 contributors
Commits on Jun 8, 2022
-
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for eb1552a - Browse repository at this point
Copy the full SHA eb1552aView commit details
Commits on Jun 9, 2022
-
merge branch 'pr-3490' into release-1.1
Kir Kolyshkin (3): VERSION: back to development VERSION: release 1.1.3 ci: add basic checks for CHANGELOG.md LGTMs: thaJeztah cyphar Closes #3490
Configuration menu - View commit details
-
Copy full SHA for 1e7bb5b - Browse repository at this point
Copy the full SHA 1e7bb5bView commit details
Commits on Jun 16, 2022
-
libct: fix mounting via wrong proc fd
Due to a bug in commit 9c44407, when the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup is mounted using the bind mount's mount fd. This can be reproduced with podman 4.1 (when configured to use runc): $ podman run --uidmap 0:100:10000 quay.io/libpod/testimage:20210610 mount Error: /home/kir/git/runc/runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied or manually with the spec mounts containing something like this: { "destination": "/etc/resolv.conf", "type": "bind", "source": "/userdata/resolv.conf", "options": [ "bind" ] }, { "destination": "/sys/fs/cgroup", "type": "cgroup", "source": "cgroup", "options": [ "rprivate", "nosuid", "noexec", "nodev", "relatime", "ro" ] } The issue was not found earlier since it requires using userns, and even then mount fd is ignored by mountToRootfs, except for bind mounts, and all the bind mounts have mountfd set, except for the case of cgroup v1's /sys/fs/cgroup which is internally transformed into a bunch of bind mounts. This is a minimal fix for the issue, suitable for backporting. A test case is added which reproduces the issue without the fix applied. Fixes: 9c44407 ("Open bind mount sources from the host userns") Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit d370e3c) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for fa3354d - Browse repository at this point
Copy the full SHA fa3354dView commit details
Commits on Jul 20, 2022
-
merge branch 'pr-3511' into release-1.1
Kir Kolyshkin (1): libct: fix mounting via wrong proc fd LGTMs: AkihiroSuda cyphar Closes #3511
Configuration menu - View commit details
-
Copy full SHA for afda6b7 - Browse repository at this point
Copy the full SHA afda6b7View commit details
Commits on Jul 26, 2022
-
tests/int: runc delete: fix flake, enable for rootless
The following failure was observed in CI (on centos-stream-8 in integration-cgroup suite): not ok 42 runc delete (from function `fail' in file tests/integration/helpers.bash, line 338, in test file tests/integration/delete.bats, line 30) `[ "$output" = "" ] || fail "cgroup not cleaned up correctly: $output"' failed .... cgroup not cleaned up correctly: /sys/fs/cgroup/pids/system.slice/tmp-bats\x2drun\x2d68012-runc.IPOypI-state-testbusyboxdelete-runc.zriC8C.mount /sys/fs/cgroup/cpu,cpuacct/system.slice/tmp-bats\x2drun\x2d68012-runc.IPOypI-state-testbusyboxdelete-runc.zriC8C.mount ... Apparently, this is a cgroup systemd creates for a mount unit which appears then runc does internal /proc/self/exe bind-mount. The test case should not take it into account. The second problem with this test is it does not check that cgroup actually exists when the container is running (so checking that it was removed after makes less sense). For example, in rootless mode the cgroup might not have been created. Fix the find arguments to look for a specific cgroup name, and add a check that these arguments are correct (i.e. the cgroup is found when the container is running). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 728571c) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 6b94849 - Browse repository at this point
Copy the full SHA 6b94849View commit details -
[1.1] ci: fix delete.bats for GHA
A couple of test cases in delete.bats check that a particular cgroup exists (or doesn't exist) using find. This is now resulting in errors like these: find: ‘/sys/fs/cgroup/blkio/azsec’: Permission denied find: ‘/sys/fs/cgroup/blkio/azsec_clamav’: Permission denied find: ‘/sys/fs/cgroup/cpu,cpuacct/azsec’: Permission denied find: ‘/sys/fs/cgroup/cpu,cpuacct/azsec_clamav’: Permission denied find: ‘/sys/fs/cgroup/memory/azsec’: Permission denied find: ‘/sys/fs/cgroup/memory/azsec_clamav’: Permission denied leading to test case failures. Apparently, GHA runs something else on a test box, so we get this. To fix, ignore non-zero exit code from find, and redirect its stderr to /dev/null. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for f46c0da - Browse repository at this point
Copy the full SHA f46c0daView commit details
Commits on Jul 28, 2022
-
This is a partial backport of commit 6e1d476 from main branch. Instead of specifying path to criu binary, use whatever is found in $PATH. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for c3986e5 - Browse repository at this point
Copy the full SHA c3986e5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3ca5673 - Browse repository at this point
Copy the full SHA 3ca5673View commit details -
merge branch 'pr-3538' into release-1.1
Kir Kolyshkin (4): CI: workaround CentOS Stream 9 criu issue tests/int: don't use --criu [1.1] ci: fix delete.bats for GHA tests/int: runc delete: fix flake, enable for rootless LGTMs: AkihiroSuda cyphar Closes #3538
Configuration menu - View commit details
-
Copy full SHA for f4aaf0d - Browse repository at this point
Copy the full SHA f4aaf0dView commit details -
[1.1] libct/nsenter: switch to sane_kill()
Signed-off-by: guodong <guodong9211@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for d614445 - Browse repository at this point
Copy the full SHA d614445View commit details -
merge branch 'pr-3536' into release-1.1
guodong (1): [1.1] libct/nsenter: switch to sane_kill() LGTMs: AkihiroSuda cyphar Closes #3536
Configuration menu - View commit details
-
Copy full SHA for 69734b9 - Browse repository at this point
Copy the full SHA 69734b9View commit details -
Fix error from runc run on noexec fs
When starting a new container, and the very last step of executing of a user process fails (last lines of (*linuxStandardInit).Init), it is too late to print a proper error since both the log pipe and the init pipe are closed. This is partially mitigated by using exec.LookPath() which is supposed to say whether we will be able to execute or not. Alas, it fails to do so when the binary to be executed resides on a filesystem mounted with noexec flag. A workaround would be to use access(2) with X_OK flag. Alas, it is not working when runc itself is a setuid (or setgid) binary. In this case, faccessat2(2) with AT_EACCESS can be used, but it is only available since Linux v5.8. So, use faccessat2(2) with AT_EACCESS if available. If not, fall back to access(2) for non-setuid runc, and do nothing for setuid runc (as there is nothing we can do). Note that this check if in addition to whatever exec.LookPath does. Fixes #3520 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 957d97b) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for d83a861 - Browse repository at this point
Copy the full SHA d83a861View commit details
Commits on Aug 2, 2022
-
Merge pull request #3541 from kolyshkin/1.1-exec-noexec
[1.1] Fix error from runc run on noexec fs
Mrunal Patel committedAug 2, 2022 Configuration menu - View commit details
-
Copy full SHA for b54084f - Browse repository at this point
Copy the full SHA b54084fView commit details
Commits on Aug 16, 2022
-
[1.1] ci/gha: fix cross-386 job vs go 1.19
When golang 1.19 is used to build unit tests on 386, it fails like this: sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest <...> go test -timeout 3m -tags "seccomp" -v ./... <...> # github.com/opencontainers/runc/libcontainer/capabilities.test runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel runtime/cgo(.text): relocation target __stack_chk_fail_local not defined runtime/cgo(.text): relocation target __stack_chk_fail_local not defined The fix is to add CGO_CFLAGS=-fno-stack-protector. See also: - docker-library/golang#426 - https://go.dev/issue/52919 - https://go.dev/issue/54313 - https://go-review.googlesource.com/c/go/+/421935 Cherry picked from commit 589a9d5. Conflict in .github/workflows/test.yml due to missing commit dafcacb. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for c778598 - Browse repository at this point
Copy the full SHA c778598View commit details -
Merge pull request #3558 from kolyshkin/1.1-fix-cross-386
[1.1] ci/gha: fix cross-386 job vs go 1.19
Configuration menu - View commit details
-
Copy full SHA for 7c69bcc - Browse repository at this point
Copy the full SHA 7c69bccView commit details
Commits on Aug 18, 2022
-
Recently released codespell 2.2 adds some more false positives, such as: ./Makefile:78: ro ==> to, row, rob, rod, roe, rot ./Makefile:88: ro ==> to, row, rob, rod, roe, rot ./notify_socket.go:51: ro ==> to, row, rob, rod, roe, rot ./LICENSE:128: complies ==> compiles ./go.sum:59: BU ==> BY ./types/features/features.go:17: ro ==> to, row, rob, rod, roe, rot ./libcontainer/rootfs_linux.go:52: ro ==> to, row, rob, rod, roe, rot ./libcontainer/rootfs_linux.go:166: ro ==> to, row, rob, rod, roe, rot .... ./tests/integration/cgroup_delegation.bats:38: inh ==> in ... To fix: - exclude go.sum; - add ro and complies to the list of ignored words; - s/inh/inherit in cgroup_delegation.bats. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit df9e32b) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for ec2efc2 - Browse repository at this point
Copy the full SHA ec2efc2View commit details -
Merge pull request #3562 from kolyshkin/1.1-ci-codespell-2.2
[1.1] ci: fix for codespell 2.2
Configuration menu - View commit details
-
Copy full SHA for 1c6dc76 - Browse repository at this point
Copy the full SHA 1c6dc76View commit details -
[1.1] fix failed exec after systemctl daemon-reload
A regression reported for runc v1.1.3 says that "runc exec -t" fails after doing "systemctl daemon-reload": > exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown Apparently, with commit 7219387 we are no longer adding "DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns ENOENT). The bug can only be seen after "systemctl daemon-reload" because runc also applies the same rules manually (by writing to devices.allow for cgroup v1), and apparently reloading systemd leads to re-applying the rules that systemd has (thus removing the char-pts access). The fix is to do os.Stat only for "/dev" paths. Also, emit a warning that the path was skipped. Since the original idea was to emit less warnings, demote the level to debug. Note this also fixes the issue of not adding "m" permission for block-* and char-* devices. A test case is added, which reliably fails before the fix on both cgroup v1 and v2. This is a backport of commit 58b1374 to release-1.1 branch. Fixes: #3551 Fixes: 7219387 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 204c673 - Browse repository at this point
Copy the full SHA 204c673View commit details -
Merge pull request #3554 from kolyshkin/1.1-fix-dev-pts
[1.1] Fix failed exec after systemctl daemon-reload (regression in 1.1.3)
Configuration menu - View commit details
-
Copy full SHA for 46a5a84 - Browse repository at this point
Copy the full SHA 46a5a84View commit details
Commits on Aug 24, 2022
-
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Configuration menu - View commit details
-
Copy full SHA for 5fd4c4d - Browse repository at this point
Copy the full SHA 5fd4c4dView commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v1.1.3...v1.1.4