Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package crun for openSUSE:Factory checked in at 2023-10-13 23:15:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/crun (Old) and /work/SRC/openSUSE:Factory/.crun.new.20540 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crun" Fri Oct 13 23:15:12 2023 rev:17 rq:1117581 version:1.9.2 Changes: -------- --- /work/SRC/openSUSE:Factory/crun/crun.changes 2023-10-12 11:39:04.482458627 +0200 +++ /work/SRC/openSUSE:Factory/.crun.new.20540/crun.changes 2023-10-13 23:16:15.446467609 +0200 @@ -1,0 +2,22 @@ +Thu Oct 12 08:02:18 UTC 2023 - Dan Äermák <dcer...@suse.com> + +- New upstream release 1.9.2: + + * cgroup: reset the inherited cpu affinity after moving to cgroup. Old kernels + do that automatically, but new kernels remember the affinity that was set + before the cgroup move, so we need to reset it in order to honor the cpuset + configuration. + +- New upstream release 1.9.1: + + * utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on Linux 6.6 + that always refuses chmod on a symlink. + * build: fix build on CentOS 7 + * linux: add new fallback when mount fails with EBUSY, so that there is not an + additional tmpfs mount if not needed. + * utils: improve error message when a directory cannot be created as a + component of the path is already existing as a non directory. + +- Only build with wasmedge on x86_64 & aarch64 + +------------------------------------------------------------------- Old: ---- crun-1.9.tar.xz crun-1.9.tar.xz.asc New: ---- crun-1.9.2.tar.xz crun-1.9.2.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ crun.spec ++++++ --- /var/tmp/diff_new_pack.nEFxOa/_old 2023-10-13 23:16:15.918484729 +0200 +++ /var/tmp/diff_new_pack.nEFxOa/_new 2023-10-13 23:16:15.918484729 +0200 @@ -15,17 +15,20 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # - +%ifarch x86_64 aarch64 %define with_wasmedge 1 +%else +%define with_wasmedge 0 +%endif Name: crun -Version: 1.9 +Version: 1.9.2 Release: 0 Summary: OCI runtime written in C License: GPL-2.0-or-later URL: https://github.com/containers/crun -Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz -Source1: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz.asc +Source0: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.xz +Source1: %{URL}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc Source2: crun.keyring # We always run autogen.sh BuildRequires: autoconf @@ -76,7 +79,7 @@ # - it would be nice to enable the test-suite, but seems to behave (and fail!) # differently when run inside of an OBS worker, with respect to when it's # run manually on the host... Need to investigate more. -#%check +%dnl %check #make test-suite.log %install ++++++ crun-1.9.tar.xz -> crun-1.9.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/.tarball-git-version.h new/crun-1.9.2/.tarball-git-version.h --- old/crun-1.9/.tarball-git-version.h 2023-09-07 15:30:01.000000000 +0200 +++ new/crun-1.9.2/.tarball-git-version.h 2023-09-27 22:34:34.000000000 +0200 @@ -1,4 +1,4 @@ /* autogenerated. */ #ifndef GIT_VERSION -# define GIT_VERSION "a538ac4ea1ff319bcfe2bf81cb5c6f687e2dc9d3" +# define GIT_VERSION "35274d346d2e9ffeacb22cc11590b0266a23d634" #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/.tarball-version new/crun-1.9.2/.tarball-version --- old/crun-1.9/.tarball-version 2023-09-07 15:30:01.000000000 +0200 +++ new/crun-1.9.2/.tarball-version 2023-09-27 22:34:34.000000000 +0200 @@ -1 +1 @@ -1.9 +1.9.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/Makefile.am new/crun-1.9.2/Makefile.am --- old/crun-1.9/Makefile.am 2023-09-07 15:28:45.000000000 +0200 +++ new/crun-1.9.2/Makefile.am 2023-09-27 22:33:35.000000000 +0200 @@ -149,6 +149,7 @@ src/libcrun/linux.h src/libcrun/utils.h src/libcrun/error.h src/libcrun/criu.h \ src/libcrun/scheduler.h src/libcrun/status.h src/libcrun/terminal.h src/libcrun/mount_flags.h \ crun.1.md crun.1 libcrun.lds \ + krun.1.md krun.1 \ lua/luacrun.rockspec UNIT_TESTS = tests/tests_libcrun_utils tests/tests_libcrun_errors @@ -239,8 +240,14 @@ CLEANFILES = crun.spec .version git-version.h $(LUACRUN_ROCKSPEC) +man1_MANS = + if ENABLE_CRUN -man1_MANS = crun.1 +man1_MANS += crun.1 +endif + +if ENABLE_KRUN +man1_MANS += krun.1 endif crun.1: $(abs_srcdir)/crun.1.md @@ -248,7 +255,12 @@ $(MD2MAN) -in $(abs_srcdir)/crun.1.md -out crun.1 endif HAVE_MD2MAN -generate-man: crun.1 +krun.1: $(abs_srcdir)/krun.1.md +if HAVE_MD2MAN + $(MD2MAN) -in $(abs_srcdir)/krun.1.md -out krun.1 +endif HAVE_MD2MAN + +generate-man: crun.1 krun.1 sync: (cd libocispec; git pull https://github.com/containers/libocispec main) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/Makefile.in new/crun-1.9.2/Makefile.in --- old/crun-1.9/Makefile.in 2023-09-07 15:29:24.000000000 +0200 +++ new/crun-1.9.2/Makefile.in 2023-09-27 22:34:03.000000000 +0200 @@ -97,6 +97,8 @@ @ENABLE_CRUN_TRUE@ $(am__EXEEXT_1) \ @ENABLE_CRUN_TRUE@ tests/tests_libcrun_fuzzer$(EXEEXT) TESTS = $(PYTHON_TESTS) $(am__EXEEXT_1) +@ENABLE_CRUN_TRUE@am__append_1 = crun.1 +@ENABLE_KRUN_TRUE@am__append_2 = krun.1 subdir = . ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_lua.m4 \ @@ -948,8 +950,8 @@ src/libcrun/utils.h src/libcrun/error.h src/libcrun/criu.h \ src/libcrun/scheduler.h src/libcrun/status.h \ src/libcrun/terminal.h src/libcrun/mount_flags.h crun.1.md \ - crun.1 libcrun.lds lua/luacrun.rockspec $(PYTHON_TESTS) \ - tests/Makefile.tests tests/run_all_tests.sh \ + crun.1 libcrun.lds krun.1.md krun.1 lua/luacrun.rockspec \ + $(PYTHON_TESTS) tests/Makefile.tests tests/run_all_tests.sh \ tests/tests_utils.py build-aux/git-version-gen \ src/libcrun/signals.perf src/libcrun/mount_flags.perf UNIT_TESTS = tests/tests_libcrun_utils tests/tests_libcrun_errors @@ -1000,7 +1002,7 @@ BUILT_SOURCES = .version git-version.h CLEANFILES = crun.spec .version git-version.h $(LUACRUN_ROCKSPEC) -@ENABLE_CRUN_TRUE@man1_MANS = crun.1 +man1_MANS = $(am__append_1) $(am__append_2) all: $(BUILT_SOURCES) config.h $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -3478,7 +3480,10 @@ crun.1: $(abs_srcdir)/crun.1.md @HAVE_MD2MAN_TRUE@ $(MD2MAN) -in $(abs_srcdir)/crun.1.md -out crun.1 -generate-man: crun.1 +krun.1: $(abs_srcdir)/krun.1.md +@HAVE_MD2MAN_TRUE@ $(MD2MAN) -in $(abs_srcdir)/krun.1.md -out krun.1 + +generate-man: crun.1 krun.1 sync: (cd libocispec; git pull https://github.com/containers/libocispec main) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/NEWS new/crun-1.9.2/NEWS --- old/crun-1.9/NEWS 2023-09-07 15:28:45.000000000 +0200 +++ new/crun-1.9.2/NEWS 2023-09-27 22:33:35.000000000 +0200 @@ -1,3 +1,20 @@ +* crun-1.9.2 + +- cgroup: reset the inherited cpu affinity after moving to cgroup. + Old kernels do that automatically, but new kernels remember the + affinity that was set before the cgroup move, so we need to reset + it in order to honor the cpuset configuration. + +* crun-1.9.1 + +- utils: ignore ENOTSUP when chmod a symlink. It fixes a problem on + Linux 6.6 that always refuses chmod on a symlink. +- build: fix build on CentOS 7 +- linux: add new fallback when mount fails with EBUSY, so that there + is not an additional tmpfs mount if not needed. +- utils: improve error message when a directory cannot be created as + a component of the path is already existing as a non directory. + * crun-1.9 - linux: support arbitrary idmapped mounts. Now it is possible to @@ -23,7 +40,6 @@ - features: Fix annotations formatting. - linux: do not write some errors twice. - libcrun: handle SIGWINCH by resizing the terminal file descriptor. - - crun: new command "crun features". - linux: fix handling of idmapped mounts when the container joins an existing PID namespace. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/config.h.in new/crun-1.9.2/config.h.in --- old/crun-1.9/config.h.in 2023-09-07 15:29:23.000000000 +0200 +++ new/crun-1.9.2/config.h.in 2023-09-27 22:34:02.000000000 +0200 @@ -84,6 +84,9 @@ /* Define to 1 if you have the <lua.h> header file. */ #undef HAVE_LUA_H +/* Define to 1 if you have the `memfd_create' function. */ +#undef HAVE_MEMFD_CREATE + /* Define to 1 if you have the <memory.h> header file. */ #undef HAVE_MEMORY_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/configure new/crun-1.9.2/configure --- old/crun-1.9/configure 2023-09-07 15:29:22.000000000 +0200 +++ new/crun-1.9.2/configure 2023-09-27 22:34:01.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for crun 1.9. +# Generated by GNU Autoconf 2.69 for crun 1.9.2. # # Report bugs to <giuse...@scrivano.org>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='crun' PACKAGE_TARNAME='crun' -PACKAGE_VERSION='1.9' -PACKAGE_STRING='crun 1.9' +PACKAGE_VERSION='1.9.2' +PACKAGE_STRING='crun 1.9.2' PACKAGE_BUGREPORT='giuse...@scrivano.org' PACKAGE_URL='' @@ -674,6 +674,8 @@ PYTHON_CFLAGS DYNLOAD_LIBCRUN SHARED_LIBCRUN +ENABLE_KRUN_FALSE +ENABLE_KRUN_TRUE MONO_LIBS MONO_CFLAGS YAJL_LIBS @@ -1428,7 +1430,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures crun 1.9 to adapt to many kinds of systems. +\`configure' configures crun 1.9.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1499,7 +1501,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of crun 1.9:";; + short | recursive ) echo "Configuration of crun 1.9.2:";; esac cat <<\_ACEOF @@ -1658,7 +1660,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -crun configure 1.9 +crun configure 1.9.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2264,7 +2266,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by crun $as_me 1.9, which was +It was created by crun $as_me 1.9.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -12116,7 +12118,7 @@ # Define the identity of the package. PACKAGE='crun' - VERSION='1.9' + VERSION='1.9.2' cat >>confdefs.h <<_ACEOF @@ -13575,7 +13577,7 @@ fi -for ac_func in copy_file_range fgetxattr statx fgetpwent_r issetugid +for ac_func in copy_file_range fgetxattr statx fgetpwent_r issetugid memfd_create do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -14359,6 +14361,17 @@ done fi + + if test "x$with_libkrun" = xyes; then + ENABLE_KRUN_TRUE= + ENABLE_KRUN_FALSE='#' +else + ENABLE_KRUN_TRUE='#' + ENABLE_KRUN_FALSE= +fi + + + # Check whether --enable-seccomp was given. if test "${enable_seccomp+set}" = set; then : enableval=$enable_seccomp; @@ -16275,6 +16288,10 @@ as_fn_error $? "conditional \"HAVE_EMBEDDED_YAJL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_KRUN_TRUE}" && test -z "${ENABLE_KRUN_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_KRUN\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${PYTHON_BINDINGS_TRUE}" && test -z "${PYTHON_BINDINGS_FALSE}"; then as_fn_error $? "conditional \"PYTHON_BINDINGS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -16688,7 +16705,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by crun $as_me 1.9, which was +This file was extended by crun $as_me 1.9.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16754,7 +16771,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -crun config.status 1.9 +crun config.status 1.9.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/configure.ac new/crun-1.9.2/configure.ac --- old/crun-1.9/configure.ac 2023-09-07 15:28:45.000000000 +0200 +++ new/crun-1.9.2/configure.ac 2023-09-27 22:33:35.000000000 +0200 @@ -29,7 +29,7 @@ AC_CHECK_TYPES([atomic_int], [], [], [[#include <stdatomic.h>]]) AC_CHECK_TYPES([atomic_bool], [], [], [[#include <stdatomic.h>]]) -AC_CHECK_FUNCS(copy_file_range fgetxattr statx fgetpwent_r issetugid) +AC_CHECK_FUNCS(copy_file_range fgetxattr statx fgetpwent_r issetugid memfd_create) AC_ARG_ENABLE(crun, AS_HELP_STRING([--enable-crun], [Include crun executable in installation (default: yes)]), @@ -129,6 +129,10 @@ dnl include support for libkrun (EXPERIMENTAL) AC_ARG_WITH([libkrun], AS_HELP_STRING([--with-libkrun], [build with libkrun support])) AS_IF([test "x$with_libkrun" = "xyes"], AC_CHECK_HEADERS([libkrun.h], AC_DEFINE([HAVE_LIBKRUN], 1, [Define if libkrun is available]), [AC_MSG_ERROR([*** Missing libkrun headers])])) + +AM_CONDITIONAL([ENABLE_KRUN], [test "x$with_libkrun" = xyes]) + + dnl libseccomp AC_ARG_ENABLE([seccomp], AS_HELP_STRING([--disable-seccomp], [Ignore libseccomp and disable support])) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/krun.1 new/crun-1.9.2/krun.1 --- old/crun-1.9/krun.1 1970-01-01 01:00:00.000000000 +0100 +++ new/crun-1.9.2/krun.1 2023-09-26 16:45:32.000000000 +0200 @@ -0,0 +1,43 @@ +.nh +.TH crun 1 "User Commands" + +.SH NAME +.PP +krun - crun based OCI runtime using libkrun to run containerized programs in +isolated KVM environments + + +.SH SYNOPSIS +.PP +krun [global options] command [command options] [arguments...] + + +.SH DESCRIPTION +.PP +krun is a sub package of the crun command line program for running Linux +containers that follow the Open Container Initiative (OCI) format. The krun +command is a symbolic link to the crun executable, that tells crun to run in +krun mode. + +.PP +krun uses the dynamic libkrun library to run processes in an isolated +environment using KVM Virtualization. + +.PP +libkrun integrates a VMM (Virtual Machine Monitor, the userspace side of a +Hypervisor) with the minimum amount of emulated devices required for its +purpose, abstracting most of the complexity from Virtual Machine management. + +.PP +Because of the additional isolation, sharing content with processes and other +containers outside of the krun VM is more difficult. + + +.SH COMMANDS +.PP +See crun.1 man page for the commands available to krun + + +.SH SEE ALSO +.PP +crun.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/krun.1.md new/crun-1.9.2/krun.1.md --- old/crun-1.9/krun.1.md 1970-01-01 01:00:00.000000000 +0100 +++ new/crun-1.9.2/krun.1.md 2023-09-26 16:45:32.000000000 +0200 @@ -0,0 +1,34 @@ +crun 1 "User Commands" +================================================== + +# NAME + +krun - crun based OCI runtime using libkrun to run containerized programs in +isolated KVM environments + +# SYNOPSIS + +krun [global options] command [command options] [arguments...] + +# DESCRIPTION + +krun is a sub package of the crun command line program for running Linux +containers that follow the Open Container Initiative (OCI) format. The krun +command is a symbolic link to the crun executable, that tells crun to run in +krun mode. + +krun uses the dynamic libkrun library to run processes in an isolated +environment using KVM Virtualization. + +libkrun integrates a VMM (Virtual Machine Monitor, the userspace side of a +Hypervisor) with the minimum amount of emulated devices required for its +purpose, abstracting most of the complexity from Virtual Machine management. + +Because of the additional isolation, sharing content with processes and other +containers outside of the krun VM is more difficult. +# COMMANDS + +See crun.1 man page for the commands available to krun + +# SEE ALSO +crun.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/rpm/crun.spec new/crun-1.9.2/rpm/crun.spec --- old/crun-1.9/rpm/crun.spec 2023-08-21 14:16:35.000000000 +0200 +++ new/crun-1.9.2/rpm/crun.spec 2023-09-27 22:33:35.000000000 +0200 @@ -126,12 +126,13 @@ %files %license COPYING %{_bindir}/%{name} -%{_mandir}/man1/* +%{_mandir}/man1/%{name}.1.gz %if %{defined krun_support} %files krun %license COPYING %{_bindir}/krun +%{_mandir}/man1/krun.1.gz %endif %if %{defined wasm_support} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/src/libcrun/cgroup-setup.c new/crun-1.9.2/src/libcrun/cgroup-setup.c --- old/crun-1.9/src/libcrun/cgroup-setup.c 2023-08-21 14:16:35.000000000 +0200 +++ new/crun-1.9.2/src/libcrun/cgroup-setup.c 2023-09-27 22:33:35.000000000 +0200 @@ -33,6 +33,7 @@ #include <inttypes.h> #include <time.h> +#include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <fcntl.h> @@ -458,8 +459,33 @@ enter_cgroup (int cgroup_mode, pid_t pid, pid_t init_pid, const char *path, bool create_if_missing, libcrun_error_t *err) { + int ret; if (cgroup_mode == CGROUP_MODE_UNIFIED) - return enter_cgroup_v2 (pid, init_pid, path, create_if_missing, err); - - return enter_cgroup_v1 (pid, path, create_if_missing, err); + { + ret = enter_cgroup_v2 (pid, init_pid, path, create_if_missing, err); + if (UNLIKELY (ret < 0)) + return ret; + } + else + { + ret = enter_cgroup_v1 (pid, path, create_if_missing, err); + if (UNLIKELY (ret < 0)) + return ret; + } + /* Reset the inherited cpu affinity. Old kernels do that automatically, but + new kernels remember the affinity that was set before the cgroup move. + This is undesirable, because it inherits the systemd affinity when the container + should really move to the container space cpus. + + The sched_setaffinity call will always return an error (EINVAL or ENODEV) + when used like this. This is expected and part of the backward compatibility. + + See: https://issues.redhat.com/browse/OCPBUGS-15102 */ + ret = sched_setaffinity (pid, 0, NULL); + if (LIKELY (ret < 0)) + { + if (UNLIKELY (! ((errno == EINVAL) || (errno == ENODEV)))) + return crun_make_error (err, errno, "failed to reset affinity"); + } + return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/src/libcrun/cgroup.c new/crun-1.9.2/src/libcrun/cgroup.c --- old/crun-1.9/src/libcrun/cgroup.c 2023-07-27 09:36:43.000000000 +0200 +++ new/crun-1.9.2/src/libcrun/cgroup.c 2023-09-27 22:33:35.000000000 +0200 @@ -30,6 +30,7 @@ #include "utils.h" #include "status.h" #include <string.h> +#include <sched.h> #include <sys/types.h> #include <signal.h> #include <sys/vfs.h> @@ -379,6 +380,21 @@ return ret; } } + /* Reset the inherited cpu affinity. Old kernels do that automatically, but + new kernels remember the affinity that was set before the cgroup move. + This is undesirable, because it inherits the systemd affinity when the container + should really move to the container space cpus. + + The sched_setaffinity call will always return an error (EINVAL or ENODEV) + when used like this. This is expected and part of the backward compatibility. + + See: https://issues.redhat.com/browse/OCPBUGS-15102 */ + ret = sched_setaffinity (args->pid, 0, NULL); + if (LIKELY (ret < 0)) + { + if (UNLIKELY (! ((errno == EINVAL) || (errno == ENODEV)))) + return crun_make_error (err, errno, "failed to reset affinity"); + } success: *out = status; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/src/libcrun/linux.c new/crun-1.9.2/src/libcrun/linux.c --- old/crun-1.9/src/libcrun/linux.c 2023-09-07 15:28:45.000000000 +0200 +++ new/crun-1.9.2/src/libcrun/linux.c 2023-09-26 16:45:57.000000000 +0200 @@ -92,6 +92,18 @@ # define MOVE_MOUNT_T_EMPTY_PATH 0x00000040 #endif +#ifndef FSOPEN_CLOEXEC +# define FSOPEN_CLOEXEC 0x00000001 +#endif + +#ifndef FSMOUNT_CLOEXEC +# define FSMOUNT_CLOEXEC 0x00000001 +#endif + +#ifndef FSCONFIG_CMD_CREATE +# define FSCONFIG_CMD_CREATE 6 +#endif + struct remount_s { struct remount_s *next; @@ -1082,6 +1094,7 @@ int label_how, libcrun_error_t *err) { cleanup_free char *data_with_label = NULL; + cleanup_close int ms_move_fd = -1; const char *real_target = target; bool single_instance = false; proc_fd_path_t target_buffer; @@ -1115,6 +1128,23 @@ data = data_with_label; } + if (mountflags & MS_MOVE) + { + if ((mountflags & MS_BIND) || fstype) + return crun_make_error (err, 0, "internal error: cannot use MS_MOVE with MS_BIND or fstype"); + + ret = mount (source, real_target, NULL, MS_MOVE, NULL); + if (UNLIKELY (ret < 0)) + return crun_make_error (err, errno, "move mount `%s` to `%s`", source, target); + mountflags &= ~MS_MOVE; + + /* We need to reopen the path as the previous targetfd is underneath the new mountpoint. */ + ms_move_fd = open_mount_target (container, target, err); + if (UNLIKELY (ms_move_fd < 0)) + return fd; + targetfd = ms_move_fd; + } + if ((fstype && fstype[0]) || (mountflags & MS_BIND)) { unsigned long flags = mountflags & ~(ALL_PROPAGATIONS_NO_REC | MS_RDONLY); @@ -1287,8 +1317,37 @@ if (errno == EBUSY) { /* If we got EBUSY it means the cgroup file system is already mounted at the targetfd and we - cannot stack another one on top of it. Place a tmpfs in the middle, then try again. */ - ret = do_mount (container, "tmpfs", targetfd, target, "tmpfs", 0, "nr_blocks=1,nr_inodes=1", LABEL_NONE, err); + cannot stack another one on top of it. First attempt with a temporary mount and then move + it to the destination directory. If that cannot be used try mounting a tmpfs below the + cgroup mount. */ + cleanup_free char *state_dir = NULL; + + state_dir = libcrun_get_state_directory (container->context->state_root, container->context->id); + + if (state_dir) + { + cleanup_free char *tmp_mount_dir = NULL; + + ret = append_paths (&tmp_mount_dir, err, state_dir, "tmpmount", NULL); + if (UNLIKELY (ret < 0)) + return ret; + + ret = crun_ensure_directory (tmp_mount_dir, 0700, true, err); + if (ret == 0) + { + ret = mount ("cgroup2", tmp_mount_dir, "cgroup2", 0, NULL); + if (LIKELY (ret == 0)) + { + ret = do_mount (container, tmp_mount_dir, targetfd, target, NULL, MS_MOVE | mountflags, NULL, LABEL_NONE, err); + if (LIKELY (ret == 0)) + return 0; + + crun_error_release (err); + } + } + } + + ret = do_mount (container, "tmpfs", targetfd, target, "tmpfs", MS_PRIVATE, "nr_blocks=1,nr_inodes=1", LABEL_NONE, err); if (LIKELY (ret == 0)) { ret = do_mount (container, "cgroup2", targetfd, target, "cgroup2", mountflags, NULL, LABEL_NONE, err); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/src/libcrun/seccomp.c new/crun-1.9.2/src/libcrun/seccomp.c --- old/crun-1.9/src/libcrun/seccomp.c 2023-07-27 09:36:43.000000000 +0200 +++ new/crun-1.9.2/src/libcrun/seccomp.c 2023-09-26 16:45:32.000000000 +0200 @@ -262,9 +262,13 @@ return crun_make_error (err, 0, "the `SECCOMP_FILTER_FLAG_NEW_LISTENER` flag is not supported"); # endif +# ifdef HAVE_MEMFD_CREATE memfd = memfd_create ("seccomp-helper-memfd", O_RDWR); if (UNLIKELY (memfd < 0)) return crun_make_error (err, errno, "memfd_create"); +# else + return crun_make_error (err, ENOSYS, "memfd_create non supported"); +# endif ret = ftruncate (memfd, sizeof (atomic_int)); if (UNLIKELY (ret < 0)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/src/libcrun/utils.c new/crun-1.9.2/src/libcrun/utils.c --- old/crun-1.9/src/libcrun/utils.c 2023-09-07 15:28:45.000000000 +0200 +++ new/crun-1.9.2/src/libcrun/utils.c 2023-09-26 16:45:32.000000000 +0200 @@ -205,6 +205,7 @@ int get_file_type_at (int dirfd, mode_t *mode, bool nofollow, const char *path) { + int empty_path = path == NULL ? AT_EMPTY_PATH : 0; struct stat st; int ret; @@ -213,7 +214,7 @@ 0, }; - ret = statx (dirfd, path, (nofollow ? AT_SYMLINK_NOFOLLOW : 0) | AT_STATX_DONT_SYNC, STATX_TYPE, &stx); + ret = statx (dirfd, path ?: "", empty_path | (nofollow ? AT_SYMLINK_NOFOLLOW : 0) | AT_STATX_DONT_SYNC, STATX_TYPE, &stx); if (UNLIKELY (ret < 0)) { if (errno == ENOSYS || errno == EINVAL) @@ -226,7 +227,7 @@ fallback: #endif - ret = fstatat (dirfd, path, &st, nofollow ? AT_SYMLINK_NOFOLLOW : 0); + ret = fstatat (dirfd, path ?: "", &st, empty_path | (nofollow ? AT_SYMLINK_NOFOLLOW : 0)); *mode = st.st_mode; return ret; } @@ -546,9 +547,28 @@ return crun_make_error (err, errno, "mkdir `/%s`", npath); } - cwd = safe_openat (dirfd, dirpath, dirpath_len, npath, O_CLOEXEC | O_PATH, 0, err); + cwd = safe_openat (dirfd, dirpath, dirpath_len, npath, (last_component ? O_PATH : 0) | O_CLOEXEC, 0, err); if (UNLIKELY (cwd < 0)) - return cwd; + return crun_error_wrap (err, "creating `/%s`", path); + + if (! last_component) + { + mode_t st_mode; + + ret = get_file_type_at (cwd, &st_mode, true, NULL); + if (UNLIKELY (ret < 0)) + { + int saved_errno = errno; + + close (cwd); + return crun_make_error (err, saved_errno, "error stat'ing file `%s`", npath); + } + if ((st_mode & S_IFMT) != S_IFDIR) + { + close (cwd); + return crun_make_error (err, ENOTDIR, "error creating directory `%s` since `%s` exists and it is not a directory", path, npath); + } + } close_and_replace (&wd_cleanup, cwd); @@ -2079,19 +2099,9 @@ ret = fchmodat (destdirfd, de->d_name, mode & ALLPERMS, AT_SYMLINK_NOFOLLOW); if (UNLIKELY (ret < 0)) { + /* If the operation fails with ENOTSUP we are dealing with a symlink, so ignore it. */ if (errno == ENOTSUP) - { - proc_fd_path_t proc_path; - cleanup_close int fd = -1; - - fd = openat (destdirfd, de->d_name, O_PATH | O_NOFOLLOW); - if (UNLIKELY (fd < 0)) - return crun_make_error (err, errno, "open `%s/%s`", destname, de->d_name); - - get_proc_self_fd_path (proc_path, fd); - - ret = chmod (proc_path, mode & ALLPERMS); - } + continue; if (UNLIKELY (ret < 0)) return crun_make_error (err, errno, "chmod `%s/%s`", destname, de->d_name); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/crun-1.9/tests/test_mounts.py new/crun-1.9.2/tests/test_mounts.py --- old/crun-1.9/tests/test_mounts.py 2023-09-07 15:28:45.000000000 +0200 +++ new/crun-1.9.2/tests/test_mounts.py 2023-09-26 16:45:32.000000000 +0200 @@ -417,6 +417,56 @@ return 0 +def test_cgroup_mount_without_netns(): + for cgroupns in [True, False]: + conf = base_config() + conf['process']['args'] = ['/init', 'cat', '/proc/self/mountinfo'] + add_all_namespaces(conf, cgroupns=cgroupns, netns=False) + mounts = [ + { + "destination": "/proc", + "type": "proc" + }, + { + "destination": "/sys", + "type": "bind", + "source": "/sys", + "options": [ + "rprivate", + "nosuid", + "noexec", + "nodev", + "ro", + "rbind" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "rprivate", + "nosuid", + "noexec", + "nodev", + "rprivate", + "relatime", + "ro" + ] + } + ] + + conf['mounts'] = mounts + + out, _ = run_and_get_output(conf) + print(out) + for i in out.split("\n"): + if i.find("/sys/fs/cgroup") >= 0: + if i.find("tmpfs") >= 0: + print("tmpfs temporary mount still present with cgroupns=%s %s" % (cgroupns, i)) + return -1 + return 0 + all_tests = { "mount-ro" : test_mount_ro, "mount-rw" : test_mount_rw, @@ -439,6 +489,7 @@ "mount-linux-readonly-should-inherit-flags": test_mount_readonly_should_inherit_options_from_parent, "proc-linux-readonly-should-inherit-flags": test_proc_readonly_should_inherit_options_from_parent, "mount-ro-cgroup": test_ro_cgroup, + "cgroup-mount-without-netns": test_cgroup_mount_without_netns, } if __name__ == "__main__":
