Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package runc for openSUSE:Factory checked in at 2022-09-03 23:18:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/runc (Old) and /work/SRC/openSUSE:Factory/.runc.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "runc" Sat Sep 3 23:18:41 2022 rev:50 rq:1000884 version:1.1.4 Changes: -------- --- /work/SRC/openSUSE:Factory/runc/runc.changes 2022-06-17 21:20:47.454717345 +0200 +++ /work/SRC/openSUSE:Factory/.runc.new.2083/runc.changes 2022-09-03 23:18:50.131777374 +0200 @@ -1,0 +2,16 @@ +Wed Aug 31 13:00:31 UTC 2022 - Fabian Vogt <fv...@suse.com> + +- Update to runc v1.1.4. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.1.4. + + * Fix mounting via wrong proc fd. When the user and mount namespaces are + used, and the bind mount is followed by the cgroup mount in the spec, + the cgroup was mounted using the bind mount's mount fd. + * Switch kill() in libcontainer/nsenter to sane_kill(). + * Fix "permission denied" error from runc run on noexec fs. + * Fix failed exec after systemctl daemon-reload. Due to a regression + in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and + was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded. + (boo#1202821) + +------------------------------------------------------------------- Old: ---- runc-1.1.3.tar.xz runc-1.1.3.tar.xz.asc New: ---- runc-1.1.4.tar.xz runc-1.1.4.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ runc.spec ++++++ --- /var/tmp/diff_new_pack.fVK0Ib/_old 2022-09-03 23:18:50.575778535 +0200 +++ /var/tmp/diff_new_pack.fVK0Ib/_new 2022-09-03 23:18:50.579778546 +0200 @@ -26,8 +26,8 @@ %define project github.com/opencontainers/runc Name: runc -Version: 1.1.3 -%define _version 1.1.3 +Version: 1.1.4 +%define _version 1.1.4 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 ++++++ runc-1.1.3.tar.xz -> runc-1.1.4.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/.codespellrc new/runc-1.1.4/.codespellrc --- old/runc-1.1.3/.codespellrc 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/.codespellrc 2022-08-24 02:45:13.000000000 +0200 @@ -1,3 +1,3 @@ [codespell] -skip = ./vendor,./.git -ignore-words-list = clos,creat +skip = ./vendor,./.git,./go.sum +ignore-words-list = clos,creat,ro,complies diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/.github/workflows/test.yml new/runc-1.1.4/.github/workflows/test.yml --- old/runc-1.1.3/.github/workflows/test.yml 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/.github/workflows/test.yml 2022-08-24 02:45:13.000000000 +0200 @@ -126,4 +126,4 @@ - name: unit test # cgo is disabled by default when cross-compiling - run: sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest + run: sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 CGO_CFLAGS=-fno-stack-protector localunittest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/CHANGELOG.md new/runc-1.1.4/CHANGELOG.md --- old/runc-1.1.3/CHANGELOG.md 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/CHANGELOG.md 2022-08-24 02:45:13.000000000 +0200 @@ -6,6 +6,23 @@ ## [Unreleased] +## [1.1.4] - 2022-08-24 + +> If you look for perfection, you'll never be content. + +### Fixed + +* Fix mounting via wrong proc fd. + When the user and mount namespaces are used, and the bind mount is followed by + the cgroup mount in the spec, the cgroup was mounted using the bind mount's + mount fd. (#3511) +* Switch `kill()` in `libcontainer/nsenter` to `sane_kill()`. (#3536) +* Fix "permission denied" error from `runc run` on `noexec` fs. (#3541) +* Fix failed exec after `systemctl daemon-reload`. + Due to a regression in v1.1.3, the `DeviceAllow=char-pts rwm` rule was no + longer added and was causing an error `open /dev/pts/0: operation not permitted: unknown` + when systemd was reloaded. (#3554) +* Various CI fixes. (#3538, #3558, #3562) ## [1.1.3] - 2022-06-09 @@ -298,7 +315,7 @@ cgroups at all during `runc update`). (#2994) <!-- minor releases --> -[Unreleased]: https://github.com/opencontainers/runc/compare/v1.1.3...HEAD +[Unreleased]: https://github.com/opencontainers/runc/compare/v1.1.4...HEAD [1.1.0]: https://github.com/opencontainers/runc/compare/v1.1.0-rc.1...v1.1.0 [1.0.0]: https://github.com/opencontainers/runc/releases/tag/v1.0.0 @@ -309,7 +326,8 @@ [1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1 <!-- 1.1.z patch releases --> -[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.3...release-1.1 +[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.4...release-1.1 +[1.1.4]: https://github.com/opencontainers/runc/compare/v1.1.3...v1.1.4 [1.1.3]: https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3 [1.1.2]: https://github.com/opencontainers/runc/compare/v1.1.1...v1.1.2 [1.1.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.1.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/VERSION new/runc-1.1.4/VERSION --- old/runc-1.1.3/VERSION 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/VERSION 2022-08-24 02:45:13.000000000 +0200 @@ -1 +1 @@ -1.1.3 +1.1.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/libcontainer/cgroups/systemd/common.go new/runc-1.1.4/libcontainer/cgroups/systemd/common.go --- old/runc-1.1.3/libcontainer/cgroups/systemd/common.go 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/libcontainer/cgroups/systemd/common.go 2022-08-24 02:45:13.000000000 +0200 @@ -288,14 +288,16 @@ case devices.CharDevice: entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor) } + // systemd will issue a warning if the path we give here doesn't exist. + // Since all of this logic is best-effort anyway (we manually set these + // rules separately to systemd) we can safely skip entries that don't + // have a corresponding path. + if _, err := os.Stat(entry.Path); err != nil { + logrus.Debugf("skipping device %s for systemd: %s", entry.Path, err) + continue + } } - // systemd will issue a warning if the path we give here doesn't exist. - // Since all of this logic is best-effort anyway (we manually set these - // rules separately to systemd) we can safely skip entries that don't - // have a corresponding path. - if _, err := os.Stat(entry.Path); err == nil { - deviceAllowList = append(deviceAllowList, entry) - } + deviceAllowList = append(deviceAllowList, entry) } properties = append(properties, newProp("DeviceAllow", deviceAllowList)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/libcontainer/integration/checkpoint_test.go new/runc-1.1.4/libcontainer/integration/checkpoint_test.go --- old/runc-1.1.3/libcontainer/integration/checkpoint_test.go 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/libcontainer/integration/checkpoint_test.go 2022-08-24 02:45:13.000000000 +0200 @@ -6,6 +6,7 @@ "os" "os/exec" "path/filepath" + "regexp" "strings" "testing" @@ -61,6 +62,12 @@ t.Skipf("criu binary not found: %v", err) } + // Workaround for https://github.com/opencontainers/runc/issues/3532. + out, err := exec.Command("rpm", "-q", "criu").CombinedOutput() + if err == nil && regexp.MustCompile(`^criu-3\.17-[123]\.el9`).Match(out) { + t.Skip("Test requires criu >= 3.17-4 on CentOS Stream 9.") + } + config := newTemplateConfig(t, &tParam{userns: userns}) factory, err := libcontainer.New(t.TempDir()) ok(t, err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/libcontainer/nsenter/nsexec.c new/runc-1.1.4/libcontainer/nsenter/nsexec.c --- old/runc-1.1.3/libcontainer/nsenter/nsexec.c 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/libcontainer/nsenter/nsexec.c 2022-08-24 02:45:13.000000000 +0200 @@ -1068,7 +1068,7 @@ s = SYNC_MOUNTSOURCES_ACK; if (write(syncfd, &s, sizeof(s)) != sizeof(s)) { - kill(stage1_pid, SIGKILL); + sane_kill(stage1_pid, SIGKILL); bail("failed to sync with child: write(SYNC_MOUNTSOURCES_ACK)"); } break; @@ -1230,7 +1230,7 @@ if (config.mountsources) { s = SYNC_MOUNTSOURCES_PLS; if (write(syncfd, &s, sizeof(s)) != sizeof(s)) { - kill(stage2_pid, SIGKILL); + sane_kill(stage2_pid, SIGKILL); bail("failed to sync with parent: write(SYNC_MOUNTSOURCES_PLS)"); } @@ -1239,11 +1239,11 @@ /* Parent finished to send the mount sources fds. */ if (read(syncfd, &s, sizeof(s)) != sizeof(s)) { - kill(stage2_pid, SIGKILL); + sane_kill(stage2_pid, SIGKILL); bail("failed to sync with parent: read(SYNC_MOUNTSOURCES_ACK)"); } if (s != SYNC_MOUNTSOURCES_ACK) { - kill(stage2_pid, SIGKILL); + sane_kill(stage2_pid, SIGKILL); bail("failed to sync with parent: SYNC_MOUNTSOURCES_ACK: got %u", s); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/libcontainer/rootfs_linux.go new/runc-1.1.4/libcontainer/rootfs_linux.go --- old/runc-1.1.3/libcontainer/rootfs_linux.go 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/libcontainer/rootfs_linux.go 2022-08-24 02:45:13.000000000 +0200 @@ -80,6 +80,8 @@ // Therefore, we can access mountFds[i] without any concerns. if mountFds != nil && mountFds[i] != -1 { mountConfig.fd = &mountFds[i] + } else { + mountConfig.fd = nil } if err := mountToRootfs(m, mountConfig); err != nil { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/libcontainer/standard_init_linux.go new/runc-1.1.4/libcontainer/standard_init_linux.go --- old/runc-1.1.3/libcontainer/standard_init_linux.go 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/libcontainer/standard_init_linux.go 2022-08-24 02:45:13.000000000 +0200 @@ -198,6 +198,13 @@ if err != nil { return err } + // exec.LookPath might return no error for an executable residing on a + // file system mounted with noexec flag, so perform this extra check + // now while we can still return a proper error. + if err := system.Eaccess(name); err != nil { + return &os.PathError{Op: "exec", Path: name, Err: err} + } + // Set seccomp as close to execve as possible, so as few syscalls take // place afterward (reducing the amount of syscalls that users need to // enable in their seccomp profiles). However, this needs to be done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/libcontainer/system/linux.go new/runc-1.1.4/libcontainer/system/linux.go --- old/runc-1.1.3/libcontainer/system/linux.go 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/libcontainer/system/linux.go 2022-08-24 02:45:13.000000000 +0200 @@ -31,6 +31,25 @@ return SetParentDeathSignal(uintptr(p)) } +// Eaccess is similar to unix.Access except for setuid/setgid binaries +// it checks against the effective (rather than real) uid and gid. +func Eaccess(path string) error { + err := unix.Faccessat2(unix.AT_FDCWD, path, unix.X_OK, unix.AT_EACCESS) + if err != unix.ENOSYS && err != unix.EPERM { //nolint:errorlint // unix errors are bare + return err + } + + // Faccessat2() not available; check if we are a set[ug]id binary. + if os.Getuid() == os.Geteuid() && os.Getgid() == os.Getegid() { + // For a non-set[ug]id binary, use access(2). + return unix.Access(path, unix.X_OK) + } + + // For a setuid/setgid binary, there is no fallback way + // so assume we can execute the binary. + return nil +} + func Execv(cmd string, args []string, env []string) error { name, err := exec.LookPath(cmd) if err != nil { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/tests/integration/cgroup_delegation.bats new/runc-1.1.4/tests/integration/cgroup_delegation.bats --- old/runc-1.1.3/tests/integration/cgroup_delegation.bats 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/tests/integration/cgroup_delegation.bats 2022-08-24 02:45:13.000000000 +0200 @@ -35,7 +35,7 @@ [ "$output" = "nobody" ] # /sys/fs/cgroup owned by unmapped user } -@test "runc exec (cgroup v2, rw cgroupfs, inh cgroupns) does not chown cgroup" { +@test "runc exec (cgroup v2, rw cgroupfs, inherit cgroupns) does not chown cgroup" { set_cgroup_mount_writable # inherit cgroup namespace (remove cgroup from namespaces list) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/tests/integration/checkpoint.bats new/runc-1.1.4/tests/integration/checkpoint.bats --- old/runc-1.1.3/tests/integration/checkpoint.bats 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/tests/integration/checkpoint.bats 2022-08-24 02:45:13.000000000 +0200 @@ -84,7 +84,7 @@ shift ret=0 - __runc --criu "$CRIU" restore -d --work-path "$workdir" --image-path ./image-dir "$@" "$name" <&${in_r} >&${out_w} 2>&${err_w} || ret=$? + __runc restore -d --work-path "$workdir" --image-path ./image-dir "$@" "$name" <&${in_r} >&${out_w} 2>&${err_w} || ret=$? if [ "$ret" -ne 0 ]; then echo "__runc restore $name failed (status: $ret)" exec {err_w}>&- @@ -109,7 +109,7 @@ for _ in $(seq 2); do # checkpoint the running container - runc --criu "$CRIU" "$@" checkpoint --work-path ./work-dir test_busybox + runc "$@" checkpoint --work-path ./work-dir test_busybox grep -B 5 Error ./work-dir/dump.log || true [ "$status" -eq 0 ] @@ -117,7 +117,7 @@ testcontainer test_busybox checkpointed # restore from checkpoint - runc --criu "$CRIU" "$@" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox + runc "$@" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox grep -B 5 Error ./work-dir/restore.log || true [ "$status" -eq 0 ] @@ -162,12 +162,12 @@ testcontainer test_busybox running # runc should fail with absolute parent image path. - runc --criu "$CRIU" checkpoint --parent-path "$(pwd)"/parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox + runc checkpoint --parent-path "$(pwd)"/parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox [[ "${output}" == *"--parent-path"* ]] [ "$status" -ne 0 ] # runc should fail with invalid parent image path. - runc --criu "$CRIU" checkpoint --parent-path ./parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox + runc checkpoint --parent-path ./parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox [[ "${output}" == *"--parent-path"* ]] [ "$status" -ne 0 ] } @@ -178,7 +178,7 @@ #test checkpoint pre-dump mkdir parent-dir - runc --criu "$CRIU" checkpoint --pre-dump --image-path ./parent-dir test_busybox + runc checkpoint --pre-dump --image-path ./parent-dir test_busybox [ "$status" -eq 0 ] # busybox should still be running @@ -187,7 +187,7 @@ # checkpoint the running container mkdir image-dir mkdir work-dir - runc --criu "$CRIU" checkpoint --parent-path ../parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox + runc checkpoint --parent-path ../parent-dir --work-path ./work-dir --image-path ./image-dir test_busybox grep -B 5 Error ./work-dir/dump.log || true [ "$status" -eq 0 ] @@ -203,7 +203,7 @@ @test "checkpoint --lazy-pages and restore" { # check if lazy-pages is supported - if ! "${CRIU}" check --feature uffd-noncoop; then + if ! criu check --feature uffd-noncoop; then skip "this criu does not support lazy migration" fi @@ -224,7 +224,7 @@ # TCP port for lazy migration port=27277 - __runc --criu "$CRIU" checkpoint --lazy-pages --page-server 0.0.0.0:${port} --status-fd ${lazy_w} --work-path ./work-dir --image-path ./image-dir test_busybox & + __runc checkpoint --lazy-pages --page-server 0.0.0.0:${port} --status-fd ${lazy_w} --work-path ./work-dir --image-path ./image-dir test_busybox & cpt_pid=$! # wait for lazy page server to be ready @@ -242,7 +242,7 @@ [ -e image-dir/inventory.img ] # Start CRIU in lazy-daemon mode - ${CRIU} lazy-pages --page-server --address 127.0.0.1 --port ${port} -D image-dir & + criu lazy-pages --page-server --address 127.0.0.1 --port ${port} -D image-dir & lp_pid=$! # Restore lazily from checkpoint. @@ -264,7 +264,7 @@ @test "checkpoint and restore in external network namespace" { # check if external_net_ns is supported; only with criu 3.10++ - if ! "${CRIU}" check --feature external_net_ns; then + if ! criu check --feature external_net_ns; then # this criu does not support external_net_ns; skip the test skip "this criu does not support external network namespaces" fi @@ -290,7 +290,7 @@ for _ in $(seq 2); do # checkpoint the running container; this automatically tells CRIU to # handle the network namespace defined in config.json as an external - runc --criu "$CRIU" checkpoint --work-path ./work-dir test_busybox + runc checkpoint --work-path ./work-dir test_busybox grep -B 5 Error ./work-dir/dump.log || true [ "$status" -eq 0 ] @@ -298,7 +298,7 @@ testcontainer test_busybox checkpointed # restore from checkpoint; this should restore the container into the existing network namespace - runc --criu "$CRIU" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox + runc restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox grep -B 5 Error ./work-dir/restore.log || true [ "$status" -eq 0 ] @@ -341,7 +341,7 @@ testcontainer test_busybox running # checkpoint the running container - runc --criu "$CRIU" checkpoint --work-path ./work-dir test_busybox + runc checkpoint --work-path ./work-dir test_busybox grep -B 5 Error ./work-dir/dump.log || true [ "$status" -eq 0 ] ! test -f ./work-dir/"$tmplog1" @@ -352,7 +352,7 @@ test -f ./work-dir/"$tmplog2" && unlink ./work-dir/"$tmplog2" # restore from checkpoint - runc --criu "$CRIU" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox + runc restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox grep -B 5 Error ./work-dir/restore.log || true [ "$status" -eq 0 ] ! test -f ./work-dir/"$tmplog1" @@ -386,7 +386,7 @@ testcontainer test_busybox running # checkpoint the running container - runc --criu "$CRIU" checkpoint --work-path ./work-dir test_busybox + runc checkpoint --work-path ./work-dir test_busybox grep -B 5 Error ./work-dir/dump.log || true [ "$status" -eq 0 ] @@ -398,7 +398,7 @@ rm -rf "${bind1:?}"/* # restore from checkpoint - runc --criu "$CRIU" restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox + runc restore -d --work-path ./work-dir --console-socket "$CONSOLE_SOCKET" test_busybox grep -B 5 Error ./work-dir/restore.log || true [ "$status" -eq 0 ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/tests/integration/delete.bats new/runc-1.1.4/tests/integration/delete.bats --- old/runc-1.1.3/tests/integration/delete.bats 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/tests/integration/delete.bats 2022-08-24 02:45:13.000000000 +0200 @@ -11,10 +11,22 @@ } @test "runc delete" { + # Need a permission to create a cgroup. + # XXX(@kolyshkin): currently this test does not handle rootless when + # fs cgroup driver is used, because in this case cgroup (with a + # predefined name) is created by tests/rootless.sh, not by runc. + [[ "$ROOTLESS" -ne 0 ]] && requires systemd + set_resources_limit + runc run -d --console-socket "$CONSOLE_SOCKET" testbusyboxdelete [ "$status" -eq 0 ] testcontainer testbusyboxdelete running + # Ensure the find statement used later is correct. + output=$(find /sys/fs/cgroup -name testbusyboxdelete -o -name \*-testbusyboxdelete.scope 2>/dev/null || true) + if [ -z "$output" ]; then + fail "expected cgroup not found" + fi runc kill testbusyboxdelete KILL [ "$status" -eq 0 ] @@ -26,7 +38,7 @@ runc state testbusyboxdelete [ "$status" -ne 0 ] - output=$(find /sys/fs/cgroup -wholename '*testbusyboxdelete*' -type d) + output=$(find /sys/fs/cgroup -name testbusyboxdelete -o -name \*-testbusyboxdelete.scope 2>/dev/null || true) [ "$output" = "" ] || fail "cgroup not cleaned up correctly: $output" } @@ -106,7 +118,7 @@ runc state test_busybox [ "$status" -ne 0 ] - output=$(find /sys/fs/cgroup -wholename '*testbusyboxdelete*' -type d) + output=$(find /sys/fs/cgroup -wholename '*testbusyboxdelete*' -type d 2>/dev/null || true) [ "$output" = "" ] || fail "cgroup not cleaned up correctly: $output" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/tests/integration/dev.bats new/runc-1.1.4/tests/integration/dev.bats --- old/runc-1.1.3/tests/integration/dev.bats 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/tests/integration/dev.bats 2022-08-24 02:45:13.000000000 +0200 @@ -128,3 +128,19 @@ runc exec test_allow_block sh -c 'fdisk -l '"$device"'' [ "$status" -eq 0 ] } + +# https://github.com/opencontainers/runc/issues/3551 +@test "runc exec vs systemctl daemon-reload" { + requires systemd root + + runc run -d --console-socket "$CONSOLE_SOCKET" test_exec + [ "$status" -eq 0 ] + + runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123" + [ "$status" -eq 0 ] + + systemctl daemon-reload + + runc exec -t test_exec sh -c "ls -l /proc/self/fd/0; echo 123" + [ "$status" -eq 0 ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/tests/integration/helpers.bash new/runc-1.1.4/tests/integration/helpers.bash --- old/runc-1.1.3/tests/integration/helpers.bash 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/tests/integration/helpers.bash 2022-08-24 02:45:13.000000000 +0200 @@ -23,9 +23,6 @@ # shellcheck disable=SC2034 TESTDATA="${INTEGRATION_ROOT}/testdata" -# CRIU PATH -CRIU="$(which criu 2>/dev/null || true)" - # Kernel version KERNEL_VERSION="$(uname -r)" KERNEL_MAJOR="${KERNEL_VERSION%%.*}" @@ -343,6 +340,16 @@ [[ "$ROOTLESS_FEATURES" == *"cgroup"* || -n "$RUNC_USE_SYSTEMD" ]] } +# Check if criu is available and working. +function have_criu() { + command -v criu &>/dev/null || return 1 + + # Workaround for https://github.com/opencontainers/runc/issues/3532. + local ver + ver=$(rpm -q criu 2>/dev/null || true) + ! grep -q '^criu-3\.17-[123]\.el9' <<<"$ver" +} + # Allows a test to specify what things it requires. If the environment can't # support it, the test is skipped with a message. function requires() { @@ -350,7 +357,7 @@ local skip_me case $var in criu) - if [ ! -e "$CRIU" ]; then + if ! have_criu; then skip_me=1 fi ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/runc-1.1.3/tests/integration/userns.bats new/runc-1.1.4/tests/integration/userns.bats --- old/runc-1.1.3/tests/integration/userns.bats 2022-06-08 20:46:47.000000000 +0200 +++ new/runc-1.1.4/tests/integration/userns.bats 2022-08-24 02:45:13.000000000 +0200 @@ -64,3 +64,22 @@ runc exec test_busybox stat /tmp/mount-1/foo.txt /tmp/mount-2/foo.txt [ "$status" -eq 0 ] } + +# Issue fixed by https://github.com/opencontainers/runc/pull/3510. +@test "userns with bind mount before a cgroupfs mount" { + # This can only be reproduced on cgroup v1 (and no cgroupns) due to the + # way it is mounted in such case (a bunch of of bind mounts). + requires cgroups_v1 + + # Add a bind mount right before the /sys/fs/cgroup mount, + # and make sure cgroupns is not enabled. + update_config ' .mounts |= map(if .destination == "/sys/fs/cgroup" then ({"source": "source-accessible/dir", "destination": "/tmp/mount-1", "options": ["bind"]}, .) else . end) + | .linux.namespaces -= [{"type": "cgroup"}]' + + runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox + [ "$status" -eq 0 ] + + # Make sure this is real cgroupfs. + runc exec test_busybox cat /sys/fs/cgroup/{pids,memory}/tasks + [ "$status" -eq 0 ] +}