vendor: bump runc to 1.1.1

Release notes:
  https://github.com/opencontainers/runc/releases/tag/v1.1.1

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin 2022-03-29 06:58:09 -07:00
parent 1ea07d482a
commit 79c17cf44e
9 changed files with 58 additions and 49 deletions

4
go.mod
View File

@ -63,7 +63,7 @@ require (
github.com/mvdan/xurls v1.1.0 github.com/mvdan/xurls v1.1.0
github.com/onsi/ginkgo v1.14.0 github.com/onsi/ginkgo v1.14.0
github.com/onsi/gomega v1.10.1 github.com/onsi/gomega v1.10.1
github.com/opencontainers/runc v1.1.0 github.com/opencontainers/runc v1.1.1
github.com/opencontainers/selinux v1.10.0 github.com/opencontainers/selinux v1.10.0
github.com/pkg/errors v0.9.1 github.com/pkg/errors v0.9.1
github.com/pmezard/go-difflib v1.0.0 github.com/pmezard/go-difflib v1.0.0
@ -337,7 +337,7 @@ replace (
github.com/onsi/gomega => github.com/onsi/gomega v1.10.1 github.com/onsi/gomega => github.com/onsi/gomega v1.10.1
github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.0 github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.1
github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.10.0 github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.10.0
github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0 github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0

4
go.sum
View File

@ -343,8 +343,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8= github.com/opencontainers/runc v1.1.1 h1:PJ9DSs2sVwE0iVr++pAHE6QkS9tzcVWozlPifdwMgrU=
github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runc v1.1.1/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU= github.com/opencontainers/selinux v1.10.0 h1:rAiKF8hTcgLI3w0DHm6i0ylVVcOrlgR1kK99DRLDhyU=

View File

@ -1,6 +1,6 @@
# libcontainer # libcontainer
[![GoDoc](https://godoc.org/github.com/opencontainers/runc/libcontainer?status.svg)](https://godoc.org/github.com/opencontainers/runc/libcontainer) [![Go Reference](https://pkg.go.dev/badge/github.com/opencontainers/runc/libcontainer.svg)](https://pkg.go.dev/github.com/opencontainers/runc/libcontainer)
Libcontainer provides a native Go implementation for creating containers Libcontainer provides a native Go implementation for creating containers
with namespaces, cgroups, capabilities, and filesystem access controls. with namespaces, cgroups, capabilities, and filesystem access controls.

View File

@ -2,6 +2,7 @@ package systemd
import ( import (
"bufio" "bufio"
"errors"
"fmt" "fmt"
"math" "math"
"os" "os"
@ -292,6 +293,12 @@ func (m *unifiedManager) Apply(pid int) error {
} }
if c.OwnerUID != nil { if c.OwnerUID != nil {
// The directory itself must be chowned.
err := os.Chown(m.path, *c.OwnerUID, -1)
if err != nil {
return err
}
filesToChown, err := cgroupFilesToChown() filesToChown, err := cgroupFilesToChown()
if err != nil { if err != nil {
return err return err
@ -299,7 +306,8 @@ func (m *unifiedManager) Apply(pid int) error {
for _, v := range filesToChown { for _, v := range filesToChown {
err := os.Chown(m.path+"/"+v, *c.OwnerUID, -1) err := os.Chown(m.path+"/"+v, *c.OwnerUID, -1)
if err != nil { // Some files might not be present.
if err != nil && !errors.Is(err, os.ErrNotExist) {
return err return err
} }
} }
@ -312,11 +320,15 @@ func (m *unifiedManager) Apply(pid int) error {
// uid in /sys/kernel/cgroup/delegate. If the file is not present // uid in /sys/kernel/cgroup/delegate. If the file is not present
// (Linux < 4.15), use the initial values mentioned in cgroups(7). // (Linux < 4.15), use the initial values mentioned in cgroups(7).
func cgroupFilesToChown() ([]string, error) { func cgroupFilesToChown() ([]string, error) {
filesToChown := []string{"."} // the directory itself must be chowned
const cgroupDelegateFile = "/sys/kernel/cgroup/delegate" const cgroupDelegateFile = "/sys/kernel/cgroup/delegate"
f, err := os.Open(cgroupDelegateFile) f, err := os.Open(cgroupDelegateFile)
if err == nil { if err != nil {
return []string{"cgroup.procs", "cgroup.subtree_control", "cgroup.threads"}, nil
}
defer f.Close() defer f.Close()
filesToChown := []string{}
scanner := bufio.NewScanner(f) scanner := bufio.NewScanner(f)
for scanner.Scan() { for scanner.Scan() {
filesToChown = append(filesToChown, scanner.Text()) filesToChown = append(filesToChown, scanner.Text())
@ -324,9 +336,7 @@ func cgroupFilesToChown() ([]string, error) {
if err := scanner.Err(); err != nil { if err := scanner.Err(); err != nil {
return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err) return nil, fmt.Errorf("error reading %s: %w", cgroupDelegateFile, err)
} }
} else {
filesToChown = append(filesToChown, "cgroup.procs", "cgroup.subtree_control", "cgroup.threads")
}
return filesToChown, nil return filesToChown, nil
} }

View File

@ -55,12 +55,12 @@ func IsCgroup2HybridMode() bool {
var st unix.Statfs_t var st unix.Statfs_t
err := unix.Statfs(hybridMountpoint, &st) err := unix.Statfs(hybridMountpoint, &st)
if err != nil { if err != nil {
if os.IsNotExist(err) {
// ignore the "not found" error
isHybrid = false isHybrid = false
return if !os.IsNotExist(err) {
// Report unexpected errors.
logrus.WithError(err).Debugf("statfs(%q) failed", hybridMountpoint)
} }
panic(fmt.Sprintf("cannot statfs cgroup root: %s", err)) return
} }
isHybrid = st.Type == unix.CGROUP2_SUPER_MAGIC isHybrid = st.Type == unix.CGROUP2_SUPER_MAGIC
}) })

View File

@ -229,10 +229,6 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
func (v *ConfigValidator) intelrdt(config *configs.Config) error { func (v *ConfigValidator) intelrdt(config *configs.Config) error {
if config.IntelRdt != nil { if config.IntelRdt != nil {
if !intelrdt.IsCATEnabled() && !intelrdt.IsMBAEnabled() {
return errors.New("intelRdt is specified in config, but Intel RDT is not supported or enabled")
}
if config.IntelRdt.ClosID == "." || config.IntelRdt.ClosID == ".." || strings.Contains(config.IntelRdt.ClosID, "/") { if config.IntelRdt.ClosID == "." || config.IntelRdt.ClosID == ".." || strings.Contains(config.IntelRdt.ClosID, "/") {
return fmt.Errorf("invalid intelRdt.ClosID %q", config.IntelRdt.ClosID) return fmt.Errorf("invalid intelRdt.ClosID %q", config.IntelRdt.ClosID)
} }

View File

@ -636,7 +636,11 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, messageSockP
// cgroup v1: using the same path for all controllers. // cgroup v1: using the same path for all controllers.
// cgroup v2: the only possible way. // cgroup v2: the only possible way.
for k := range proc.cgroupPaths { for k := range proc.cgroupPaths {
proc.cgroupPaths[k] = path.Join(proc.cgroupPaths[k], add) subPath := path.Join(proc.cgroupPaths[k], add)
if !strings.HasPrefix(subPath, proc.cgroupPaths[k]) {
return nil, fmt.Errorf("%s is not a sub cgroup path", add)
}
proc.cgroupPaths[k] = subPath
} }
// cgroup v2: do not try to join init process's cgroup // cgroup v2: do not try to join init process's cgroup
// as a fallback (see (*setnsProcess).start). // as a fallback (see (*setnsProcess).start).
@ -645,7 +649,11 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, messageSockP
// Per-controller paths. // Per-controller paths.
for ctrl, add := range p.SubCgroupPaths { for ctrl, add := range p.SubCgroupPaths {
if val, ok := proc.cgroupPaths[ctrl]; ok { if val, ok := proc.cgroupPaths[ctrl]; ok {
proc.cgroupPaths[ctrl] = path.Join(val, add) subPath := path.Join(val, add)
if !strings.HasPrefix(subPath, val) {
return nil, fmt.Errorf("%s is not a sub cgroup path", add)
}
proc.cgroupPaths[ctrl] = subPath
} else { } else {
return nil, fmt.Errorf("unknown controller %s in SubCgroupPaths", ctrl) return nil, fmt.Errorf("unknown controller %s in SubCgroupPaths", ctrl)
} }

View File

@ -8,7 +8,6 @@ import (
"io" "io"
"net" "net"
"os" "os"
"strconv"
"strings" "strings"
"unsafe" "unsafe"
@ -406,40 +405,36 @@ func fixStdioPermissions(u *user.ExecUser) error {
if err := unix.Stat("/dev/null", &null); err != nil { if err := unix.Stat("/dev/null", &null); err != nil {
return &os.PathError{Op: "stat", Path: "/dev/null", Err: err} return &os.PathError{Op: "stat", Path: "/dev/null", Err: err}
} }
for _, fd := range []uintptr{ for _, file := range []*os.File{os.Stdin, os.Stdout, os.Stderr} {
os.Stdin.Fd(),
os.Stderr.Fd(),
os.Stdout.Fd(),
} {
var s unix.Stat_t var s unix.Stat_t
if err := unix.Fstat(int(fd), &s); err != nil { if err := unix.Fstat(int(file.Fd()), &s); err != nil {
return &os.PathError{Op: "fstat", Path: "fd " + strconv.Itoa(int(fd)), Err: err} return &os.PathError{Op: "fstat", Path: file.Name(), Err: err}
} }
// Skip chown of /dev/null if it was used as one of the STDIO fds. // Skip chown if uid is already the one we want.
if s.Rdev == null.Rdev { if int(s.Uid) == u.Uid {
continue continue
} }
// We only change the uid owner (as it is possible for the mount to // We only change the uid (as it is possible for the mount to
// prefer a different gid, and there's no reason for us to change it). // prefer a different gid, and there's no reason for us to change it).
// The reason why we don't just leave the default uid=X mount setup is // The reason why we don't just leave the default uid=X mount setup is
// that users expect to be able to actually use their console. Without // that users expect to be able to actually use their console. Without
// this code, you couldn't effectively run as a non-root user inside a // this code, you couldn't effectively run as a non-root user inside a
// container and also have a console set up. // container and also have a console set up.
if err := unix.Fchown(int(fd), u.Uid, int(s.Gid)); err != nil { if err := file.Chown(u.Uid, int(s.Gid)); err != nil {
// If we've hit an EINVAL then s.Gid isn't mapped in the user // If we've hit an EINVAL then s.Gid isn't mapped in the user
// namespace. If we've hit an EPERM then the inode's current owner // namespace. If we've hit an EPERM then the inode's current owner
// is not mapped in our user namespace (in particular, // is not mapped in our user namespace (in particular,
// privileged_wrt_inode_uidgid() has failed). In either case, we // privileged_wrt_inode_uidgid() has failed). Read-only
// are in a configuration where it's better for us to just not // /dev can result in EROFS error. In any case, it's
// touch the stdio rather than bail at this point. // better for us to just not touch the stdio rather
// than bail at this point.
// nolint:errorlint // unix errors are bare if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) || errors.Is(err, unix.EROFS) {
if err == unix.EINVAL || err == unix.EPERM {
continue continue
} }
return &os.PathError{Op: "fchown", Path: "fd " + strconv.Itoa(int(fd)), Err: err} return err
} }
} }
return nil return nil

4
vendor/modules.txt vendored
View File

@ -596,7 +596,7 @@ github.com/onsi/gomega/matchers/support/goraph/util
github.com/onsi/gomega/types github.com/onsi/gomega/types
# github.com/opencontainers/go-digest v1.0.0 => github.com/opencontainers/go-digest v1.0.0 # github.com/opencontainers/go-digest v1.0.0 => github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/go-digest github.com/opencontainers/go-digest
# github.com/opencontainers/runc v1.1.0 => github.com/opencontainers/runc v1.1.0 # github.com/opencontainers/runc v1.1.1 => github.com/opencontainers/runc v1.1.1
## explicit ## explicit
github.com/opencontainers/runc/libcontainer github.com/opencontainers/runc/libcontainer
github.com/opencontainers/runc/libcontainer/apparmor github.com/opencontainers/runc/libcontainer/apparmor
@ -2615,7 +2615,7 @@ sigs.k8s.io/yaml
# github.com/onsi/gomega => github.com/onsi/gomega v1.10.1 # github.com/onsi/gomega => github.com/onsi/gomega v1.10.1
# github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.0 # github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.0
# github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 # github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2
# github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.0 # github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.1
# github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 # github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
# github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.10.0 # github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.10.0
# github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0 # github.com/opentracing/opentracing-go => github.com/opentracing/opentracing-go v1.1.0