Bug#1004533: bullseye-pu: package golang-github-opencontainers-specs/1.0.2.41.g7413a7f-1
Control: tags -1 + confirmed
Control: clone -1 -2 -3
Control: retitle -2 bullseye-pu: package
golang-github-containers-common/0.33.4+ds1-1+deb11u1
Control: retitle -3 bullseye-pu: package libpod/3.0.1+dfsg1-3+deb11u1
On Sat, 2022-01-29 at 21:00 -0500, Reinhard Tartler wrote:
> podman (produced by src:libpod) allows users to run docker-compatible
> container images. Because of recent changes in syscall wrappers, the
> version of podman in bullseye will not be able to run container
> images that ship glibc 2.34, which is currently in experimental and
> present in recent versions of ubuntu and fedora.
>
[...]
> There are three packages that need updating in order:
>
In that case, they should really be three separate requests, as each
package's status will need tracking individually; cloning now.
All three packages can be uploaded together - the versioned build-
dependencies should prevent them being built too early, and in any case
we can simply hold off accepting the later packages until the earlier
ones are available.
A couple of notes:
> +golang-github-containers-common (0.33.4+ds1-1+deb11u1) bullseye;
> urgency=medium
[...]
> diff --git a/debian/control b/debian/control
> index 8277c714..bfaffc6f 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -15,6 +15,7 @@ Build-Depends: debhelper-compat (= 12),
> golang-github-onsi-ginkgo-dev,
> golang-github-opencontainers-runc-dev (>>
> 1.0.0~rc92),
> golang-github-opencontainers-selinux-dev (>> 1.8.0),
> + golang-github-opencontainers-specs-dev (>=
> 1.0.2.41.g7413a7f-1+deb11u1),
> golang-github-pkg-errors-dev,
> golang-github-stretchr-testify-dev,
> golang-gocapability-dev,
> @@ -47,6 +48,7 @@ Depends: golang-github-containers-image-dev (>>
> 5.10~~),
> golang-github-onsi-ginkgo-dev,
> golang-github-opencontainers-runc-dev (>> 1.0.0~rc92),
> golang-github-opencontainers-selinux-dev (>> 1.8.0),
> + golang-github-opencontainers-specs-dev (>=
> 1.0.2.41.g7413a7f-1deb11u1),
>
There's a "+" missing in the new runtime dependency - it should be "-
1+deb11u1", as with the build-dependency.
[...]
> diff -Nru libpod-3.0.1+dfsg1/debian/control libpod-
> 3.0.1+dfsg1/debian/control
> --- libpod-3.0.1+dfsg1/debian/control 2021-06-13 18:28:49.0
> -0400
> +++ libpod-3.0.1+dfsg1/debian/control 2021-09-27 11:26:34.0
> -0400
> @@ -18,7 +18,7 @@
> ,golang-github-containerd-cgroups-dev
> ,golang-github-containernetworking-plugins-dev (>= 0.8.7)
> ,golang-github-containers-buildah-dev (>= 1.19.6)
> -,golang-github-containers-common-dev (>= 0.33.4)
> +,golang-github-containers-common-dev (>= 0.33.4+ds1-1+deb11u1)
> ,golang-github-containers-image-dev (>= 5.10.2)
> ,golang-github-containers-ocicrypt-dev
> ,golang-github-containers-psgo-dev
> @@ -93,7 +93,7 @@
> Depends: ${misc:Depends}, ${shlibs:Depends}
> ,conmon (>= 2.0.18~)
> ,containernetworking-plugins (>= 0.8.7)
> -,golang-github-containers-common
> +,golang-github-containers-common (>= 0.33.4+ds1-1+debu11u1)
>
The new runtime dependency has one too many "u"s - it should be "-
1+deb11u1", not "-1+debu11u1".
Regards,
Adam
Bug#1004533: bullseye-pu: package golang-github-opencontainers-specs/1.0.2.41.g7413a7f-1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: siret...@tauware.de
[ Reason ]
podman (produced by src:libpod) allows users to run docker-compatible
container images. Because of recent changes in syscall wrappers, the version
of podman in bullseye will not be able to run container images that ship
glibc 2.34, which is currently in experimental and present in recent versions
of ubuntu and fedora.
[ Impact ]
Without these patches, containers will crash at least on arm (cf. #994451) and
amd64 at runtime.
[ Tests ]
The changes have been verified with manual testing.
[ Risks ]
I've attempted to keep the changes as minimal as possible.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
There are three packages that need updating in order:
diff --git a/debian/changelog b/debian/changelog
index f644f7e..d06dbd5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+golang-github-opencontainers-specs (1.0.2.41.g7413a7f-1+deb11u1) bullseye;
urgency=medium
+
+ * Backport seccomp patches from upstream to allow execution of newer
+syscalls, Closes: #994451
+
+ -- Reinhard Tartler Mon, 27 Sep 2021 12:12:47 -0400
+
golang-github-opencontainers-specs (1.0.2.41.g7413a7f-1) unstable;
urgency=medium
* Team upload.
diff --git a/debian/patches/override-default-errno-code.patch
b/debian/patches/override-default-errno-code.patch
new file mode 100644
index 000..de4f589
--- /dev/null
+++ b/debian/patches/override-default-errno-code.patch
@@ -0,0 +1,66 @@
+From f7ef278d1bbaa6f97b8ef511fad478a31e953290 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano
+Date: Thu, 21 Jan 2021 13:20:57 +0100
+Subject: [PATCH] seccomp: allow to override default errno return code
+
+the specs already support overriding the errno code for the syscalls
+but the default value is hardcoded to EPERM.
+
+Add a new attribute to override the default value.
+
+Signed-off-by: Giuseppe Scrivano
+---
+ config-linux.md | 4
+ schema/config-linux.json | 3 +++
+ specs-go/config.go | 9 +
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/config-linux.md b/config-linux.md
+index 3c9d77f5..9a515fbf 100644
+--- a/config-linux.md
b/config-linux.md
+@@ -594,6 +594,10 @@ The actions, architectures, and operators are strings
that match the definitions
+ The following parameters can be specified to set up seccomp:
+
+ * **`defaultAction`** *(string, REQUIRED)* - the default action for seccomp.
Allowed values are the same as `syscalls[].action`.
++* **`defaultErrnoRet`** *(uint, OPTIONAL)* - the errno return code to use.
++Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify
the errno code to return.
++When the action doesn't support an errno, the runtime MUST print and
error and fail.
++If not specified then its default value is `EPERM`.
+ * **`architectures`** *(array of strings, OPTIONAL)* - the architecture used
for system calls.
+ A valid list of constants as of libseccomp v2.5.0 is shown below.
+
+diff --git a/schema/config-linux.json b/schema/config-linux.json
+index 83478cc9..61468b9c 100644
+--- a/schema/config-linux.json
b/schema/config-linux.json
+@@ -203,6 +203,9 @@
+ "defaultAction": {
+ "$ref": "defs-linux.json#/definitions/SeccompAction"
+ },
++"defaultErrnoRet": {
++"$ref": "defs.json#/definitions/uint32"
++},
+ "flags": {
+ "type": "array",
+ "items": {
+diff --git a/specs-go/config.go b/specs-go/config.go
+index 40955144..16eac6dd 100644
+--- a/specs-go/config.go
b/specs-go/config.go
+@@ -598,10 +598,11 @@ type VMImage struct {
+
+ // LinuxSeccomp represents syscall restrictions
+ type LinuxSeccomp struct {
+- DefaultAction LinuxSeccompAction `json:"defaultAction"`
+- Architectures []Arch `json:"architectures,omitempty"`
+- Flags []LinuxSeccompFlag `json:"flags,omitempty"`
+- Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
++ DefaultAction LinuxSeccompAction `json:"defaultAction"`
++ DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"`
++ Architectures []Arch `json:"architectures,omitempty"`
++ Flags []LinuxSeccompFlag `json:"flags,omitempty"`
++ Syscalls[]LinuxSyscall `json:"syscalls,omitempty"`
+ }
+
+ // Arch used for additional architectures
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..cd75fd3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
