mirror of https://github.com/k3s-io/k3s
Bump runc to v1.0.3
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>pull/4707/head
Brad Davidson
Brad Davidson
parent
eb068da7f3
commit
e8a30a87c8
4
go.mod
4
go.mod
|
|
@ -26,7 +26,7 @@ replace (
|
|||
github.com/kubernetes-sigs/cri-tools => github.com/k3s-io/cri-tools v1.21.0-k3s1
|
||||
github.com/matryer/moq => github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009
|
||||
// LOOK TO scripts/download FOR THE VERSION OF runc THAT WE ARE BUILDING/SHIPPING
|
||||
github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.2
|
||||
github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3
|
||||
github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b
|
||||
github.com/rancher/k3s/pkg/data => ./pkg/data
|
||||
github.com/rancher/wrangler => github.com/rancher/wrangler v0.8.10
|
||||
|
|
@ -103,7 +103,7 @@ require (
|
|||
github.com/onsi/ginkgo v1.16.4
|
||||
github.com/onsi/gomega v1.11.0
|
||||
// LOOK TO scripts/download FOR THE VERSION OF runc THAT WE ARE BUILDING/SHIPPING
|
||||
github.com/opencontainers/runc v1.0.2
|
||||
github.com/opencontainers/runc v1.0.3
|
||||
github.com/opencontainers/selinux v1.8.2
|
||||
github.com/otiai10/copy v1.6.0
|
||||
github.com/pkg/errors v0.9.1
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -837,8 +837,8 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM
|
|||
github.com/opencontainers/image-spec v1.0.2-0.20210730191737-8e42a01fb1b7/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
|
||||
github.com/opencontainers/image-spec v1.0.2-0.20210819154149-5ad6f50d6283 h1:TVzvdjOalkJBNkbpPVMAr4KV9QRf2IjfxdyxwAK78Gs=
|
||||
github.com/opencontainers/image-spec v1.0.2-0.20210819154149-5ad6f50d6283/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
|
||||
github.com/opencontainers/runc v1.0.2 h1:opHZMaswlyxz1OuGpBE53Dwe4/xF7EZTY0A2L/FpCOg=
|
||||
github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
|
||||
github.com/opencontainers/runc v1.0.3 h1:1hbqejyQWCJBvtKAfdO0b1FmaEf2z/bxnjqbARass5k=
|
||||
github.com/opencontainers/runc v1.0.3/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
|
||||
github.com/opencontainers/runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b h1:ZDY8P/luqXqGJSNCux8+9GeKmBDS+JVgVuIwKTauiwM=
|
||||
github.com/opencontainers/runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
|
||||
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ cd $(dirname $0)/..
|
|||
|
||||
. ./scripts/version.sh
|
||||
|
||||
RUNC_VERSION=v1.0.1
|
||||
RUNC_VERSION=v1.0.3
|
||||
ROOT_VERSION=v0.9.1
|
||||
TRAEFIK_CHART_VERSION=$(yq e '.spec.chart' manifests/traefik.yaml | awk 'match($0, /([0-9.]+)([0-9]{2})/, m) { print m[1]; exit; }')
|
||||
TRAEFIK_PACKAGE_VERSION=$(yq e '.spec.chart' manifests/traefik.yaml | awk 'match($0, /([0-9.]+)([0-9]{2})/, m) { print m[2]; exit; }')
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ task:
|
|||
yum config-manager --set-enabled powertools
|
||||
;;
|
||||
esac
|
||||
yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu
|
||||
yum install -y -q gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
|
||||
# install Go
|
||||
curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local
|
||||
# install bats
|
||||
|
|
@ -118,6 +118,12 @@ task:
|
|||
cd -
|
||||
# Add a user for rootless tests
|
||||
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
|
||||
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
|
||||
ssh-keygen -t ecdsa -N "" -f /root/rootless.key
|
||||
mkdir -m 0700 -p /home/rootless/.ssh
|
||||
cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
|
||||
cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
|
||||
chown -R rootless.rootless /home/rootless
|
||||
# set PATH
|
||||
echo 'export PATH=/usr/local/go/bin:/usr/local/bin:$PATH' >> /root/.bashrc
|
||||
# Setup ssh localhost for terminal emulation (script -e did not work)
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ RUN echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debi
|
|||
libseccomp2 \
|
||||
pkg-config \
|
||||
python-minimal \
|
||||
sshfs \
|
||||
sudo \
|
||||
uidmap \
|
||||
&& apt-get clean \
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
1.0.2
|
||||
1.0.3
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ Vagrant.configure("2") do |config|
|
|||
config exclude kernel,kernel-core
|
||||
config install_weak_deps false
|
||||
update
|
||||
install iptables gcc make golang-go glibc-static libseccomp-devel bats jq git-core criu
|
||||
install iptables gcc make golang-go glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs
|
||||
ts run
|
||||
EOF
|
||||
done
|
||||
|
|
@ -30,9 +30,10 @@ EOF
|
|||
# Add a user for rootless tests
|
||||
useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
|
||||
|
||||
# Allow root to execute `ssh rootless@localhost` in tests/rootless.sh
|
||||
# Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
|
||||
ssh-keygen -t ecdsa -N "" -f /root/rootless.key
|
||||
mkdir -m 0700 -p /home/rootless/.ssh
|
||||
cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
|
||||
cat /root/rootless.key.pub >> /home/rootless/.ssh/authorized_keys
|
||||
chown -R rootless.rootless /home/rootless
|
||||
|
||||
|
|
|
|||
|
|
@ -30,10 +30,7 @@ func setHugeTlb(dirPath string, r *configs.Resources) error {
|
|||
}
|
||||
|
||||
func statHugeTlb(dirPath string, stats *cgroups.Stats) error {
|
||||
hugePageSizes, err := cgroups.GetHugePageSize()
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "failed to fetch hugetlb info")
|
||||
}
|
||||
hugePageSizes, _ := cgroups.GetHugePageSize()
|
||||
hugetlbStats := cgroups.HugetlbStats{}
|
||||
|
||||
for _, pagesize := range hugePageSizes {
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ package systemd
|
|||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"sync"
|
||||
|
||||
systemdDbus "github.com/coreos/go-systemd/v22/dbus"
|
||||
|
|
@ -54,7 +55,10 @@ func (d *dbusConnManager) getConnection() (*systemdDbus.Conn, error) {
|
|||
|
||||
conn, err := d.newConnection()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
// When dbus-user-session is not installed, we can't detect whether we should try to connect to user dbus or system dbus, so d.dbusRootless is set to false.
|
||||
// This may fail with a cryptic error "read unix @->/run/systemd/private: read: connection reset by peer: unknown."
|
||||
// https://github.com/moby/moby/issues/42793
|
||||
return nil, fmt.Errorf("failed to connect to dbus (hint: for rootless containers, maybe you need to install dbus-user-session package, see https://github.com/opencontainers/runc/blob/master/docs/cgroup-v2.md): %w", err)
|
||||
}
|
||||
dbusC = conn
|
||||
return conn, nil
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@ package systemd
|
|||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
|
@ -307,9 +306,10 @@ func (m *unifiedManager) Destroy() error {
|
|||
return err
|
||||
}
|
||||
|
||||
// XXX this is probably not needed, systemd should handle it
|
||||
err := os.Remove(m.path)
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
// systemd 239 do not remove sub-cgroups.
|
||||
err := cgroups.RemovePath(m.path)
|
||||
// cgroups.RemovePath has handled ErrNotExist
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2028,16 +2028,34 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) {
|
|||
return data.Bytes(), nil
|
||||
}
|
||||
|
||||
// netlinkError is an error wrapper type for use by custom netlink message
|
||||
// types. Panics with errors are wrapped in netlinkError so that the recover
|
||||
// in bootstrapData can distinguish intentional panics.
|
||||
type netlinkError struct{ error }
|
||||
|
||||
// bootstrapData encodes the necessary data in netlink binary format
|
||||
// as a io.Reader.
|
||||
// Consumer can write the data to a bootstrap program
|
||||
// such as one that uses nsenter package to bootstrap the container's
|
||||
// init process correctly, i.e. with correct namespaces, uid/gid
|
||||
// mapping etc.
|
||||
func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) {
|
||||
func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (_ io.Reader, Err error) {
|
||||
// create the netlink message
|
||||
r := nl.NewNetlinkRequest(int(InitMsg), 0)
|
||||
|
||||
// Our custom messages cannot bubble up an error using returns, instead
|
||||
// they will panic with the specific error type, netlinkError. In that
|
||||
// case, recover from the panic and return that as an error.
|
||||
defer func() {
|
||||
if r := recover(); r != nil {
|
||||
if e, ok := r.(netlinkError); ok {
|
||||
Err = e.error
|
||||
} else {
|
||||
panic(r)
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
// write cloneFlags
|
||||
r.AddData(&Int32msg{
|
||||
Type: CloneFlagsAttr,
|
||||
|
|
|
|||
|
|
@ -3,6 +3,9 @@
|
|||
package libcontainer
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
|
||||
"github.com/vishvananda/netlink/nl"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
|
@ -54,6 +57,12 @@ type Bytemsg struct {
|
|||
|
||||
func (msg *Bytemsg) Serialize() []byte {
|
||||
l := msg.Len()
|
||||
if l > math.MaxUint16 {
|
||||
// We cannot return nil nor an error here, so we panic with
|
||||
// a specific type instead, which is handled via recover in
|
||||
// bootstrapData.
|
||||
panic(netlinkError{fmt.Errorf("netlink: cannot serialize bytemsg of length %d (larger than UINT16_MAX)", l)})
|
||||
}
|
||||
buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1))
|
||||
native := nl.NativeEndian()
|
||||
native.PutUint16(buf[0:2], uint16(l))
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ import (
|
|||
"github.com/opencontainers/runc/libcontainer/devices"
|
||||
"github.com/opencontainers/runc/libcontainer/userns"
|
||||
"github.com/opencontainers/runc/libcontainer/utils"
|
||||
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
|
@ -42,7 +41,7 @@ type mountConfig struct {
|
|||
// needsSetupDev returns true if /dev needs to be set up.
|
||||
func needsSetupDev(config *configs.Config) bool {
|
||||
for _, m := range config.Mounts {
|
||||
if m.Device == "bind" && libcontainerUtils.CleanPath(m.Destination) == "/dev" {
|
||||
if m.Device == "bind" && utils.CleanPath(m.Destination) == "/dev" {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
|
@ -154,15 +153,16 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
|
|||
// finalizeRootfs sets anything to ro if necessary. You must call
|
||||
// prepareRootfs first.
|
||||
func finalizeRootfs(config *configs.Config) (err error) {
|
||||
// remount dev as ro if specified
|
||||
// All tmpfs mounts and /dev were previously mounted as rw
|
||||
// by mountPropagate. Remount them read-only as requested.
|
||||
for _, m := range config.Mounts {
|
||||
if libcontainerUtils.CleanPath(m.Destination) == "/dev" {
|
||||
if m.Flags&unix.MS_RDONLY == unix.MS_RDONLY {
|
||||
if err := remountReadonly(m); err != nil {
|
||||
return newSystemErrorWithCausef(err, "remounting %q as readonly", m.Destination)
|
||||
}
|
||||
if m.Flags&unix.MS_RDONLY != unix.MS_RDONLY {
|
||||
continue
|
||||
}
|
||||
if m.Device == "tmpfs" || utils.CleanPath(m.Destination) == "/dev" {
|
||||
if err := remountReadonly(m); err != nil {
|
||||
return newSystemErrorWithCausef(err, "remounting %q as readonly", m.Destination)
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -432,12 +432,6 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
|
|||
return err
|
||||
}
|
||||
}
|
||||
// Initially mounted rw in mountPropagate, remount to ro if flag set.
|
||||
if m.Flags&unix.MS_RDONLY != 0 {
|
||||
if err := remount(m, rootfs); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
case "bind":
|
||||
if err := prepareBindMount(m, rootfs); err != nil {
|
||||
|
|
@ -1035,7 +1029,22 @@ func writeSystemProperty(key, value string) error {
|
|||
|
||||
func remount(m *configs.Mount, rootfs string) error {
|
||||
return utils.WithProcfd(rootfs, m.Destination, func(procfd string) error {
|
||||
return unix.Mount(m.Source, procfd, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
|
||||
flags := uintptr(m.Flags | unix.MS_REMOUNT)
|
||||
err := unix.Mount(m.Source, procfd, m.Device, flags, "")
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
// Check if the source has ro flag...
|
||||
var s unix.Statfs_t
|
||||
if err := unix.Statfs(m.Source, &s); err != nil {
|
||||
return &os.PathError{Op: "statfs", Path: m.Source, Err: err}
|
||||
}
|
||||
if s.Flags&unix.MS_RDONLY != unix.MS_RDONLY {
|
||||
return err
|
||||
}
|
||||
// ... and retry the mount with ro flag set.
|
||||
flags |= unix.MS_RDONLY
|
||||
return unix.Mount(m.Source, procfd, m.Device, flags, "")
|
||||
})
|
||||
}
|
||||
|
||||
|
|
@ -1047,10 +1056,10 @@ func mountPropagate(m *configs.Mount, rootfs string, mountLabel string) error {
|
|||
flags = m.Flags
|
||||
)
|
||||
// Delay mounting the filesystem read-only if we need to do further
|
||||
// operations on it. We need to set up files in "/dev" and tmpfs mounts may
|
||||
// need to be chmod-ed after mounting. The mount will be remounted ro later
|
||||
// in finalizeRootfs() if necessary.
|
||||
if libcontainerUtils.CleanPath(m.Destination) == "/dev" || m.Device == "tmpfs" {
|
||||
// operations on it. We need to set up files in "/dev", and other tmpfs
|
||||
// mounts may need to be chmod-ed after mounting. These mounts will be
|
||||
// remounted ro later in finalizeRootfs(), if necessary.
|
||||
if m.Device == "tmpfs" || utils.CleanPath(m.Destination) == "/dev" {
|
||||
flags &= ^unix.MS_RDONLY
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -921,7 +921,7 @@ github.com/opencontainers/go-digest/digestset
|
|||
github.com/opencontainers/image-spec/identity
|
||||
github.com/opencontainers/image-spec/specs-go
|
||||
github.com/opencontainers/image-spec/specs-go/v1
|
||||
# github.com/opencontainers/runc v1.0.2 => github.com/opencontainers/runc v1.0.2
|
||||
# github.com/opencontainers/runc v1.0.3 => github.com/opencontainers/runc v1.0.3
|
||||
## explicit
|
||||
github.com/opencontainers/runc
|
||||
github.com/opencontainers/runc/contrib/cmd/recvtty
|
||||
|
|
@ -3437,7 +3437,7 @@ sigs.k8s.io/yaml
|
|||
# github.com/juju/errors => github.com/k3s-io/nocode v0.0.0-20200630202308-cb097102c09f
|
||||
# github.com/kubernetes-sigs/cri-tools => github.com/k3s-io/cri-tools v1.21.0-k3s1
|
||||
# github.com/matryer/moq => github.com/rancher/moq v0.0.0-20190404221404-ee5226d43009
|
||||
# github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.2
|
||||
# github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3
|
||||
# github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v1.0.3-0.20210316141917-a8c4a9ee0f6b
|
||||
# github.com/rancher/k3s/pkg/data => ./pkg/data
|
||||
# github.com/rancher/wrangler => github.com/rancher/wrangler v0.8.10
|
||||
|
|
|
|||
Loading…
Reference in New Issue