Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package runc for openSUSE:Factory checked in at 2021-07-02 13:26:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/runc (Old) and /work/SRC/openSUSE:Factory/.runc.new.2625 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "runc" Fri Jul 2 13:26:39 2021 rev:39 rq:903381 version:1.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/runc/runc.changes 2021-05-20 19:24:08.678169355 +0200 +++ /work/SRC/openSUSE:Factory/.runc.new.2625/runc.changes 2021-07-02 13:27:04.440943577 +0200 @@ -1,0 +2,39 @@ +Thu Jul 1 03:39:56 UTC 2021 - Aleksa Sarai <asarai@suse.com> + +- Backport <https://github.com/opencontainers/runc/pull/3055> to fix issues + with runc under openSUSE MicroOS's SELinux policy. boo#1187704 + + boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch + +------------------------------------------------------------------- +Tue Jun 1 11:00:30 UTC 2021 - Aleksa Sarai <asarai@suse.com> + +- Update to runc v1.0.0. Upstream changelog is available from + https://github.com/opencontainers/runc/releases/tag/v1.0.0 + + ! The usage of relative paths for mountpoints will now produce a warning + (such configurations are outside of the spec, and in future runc will + produce an error when given such configurations). + + * cgroupv2: devices: rework the filter generation to produce consistent + results with cgroupv1, and always clobber any existing eBPF + program(s) to fix runc update and avoid leaking eBPF programs + (resulting in errors when managing containers). + * cgroupv2: correctly convert "number of IOs" statistics in a + cgroupv1-compatible way. + * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. + * cgroupv2: wait for freeze to finish before returning from the freezing + code, optimize the method for checking whether a cgroup is frozen. + * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 + * cgroups/systemd: fixed returning "unit already exists" error from a systemd + cgroup manager (regression in rc94) + + + cgroupv2: support SkipDevices with systemd driver + + cgroup/systemd: return, not ignore, stop unit error from Destroy + + Make "runc --version" output sane even when built with go get or + otherwise outside of our build scripts. + + cgroups: set SkipDevices during runc update (so we don't modify + cgroups at all during runc update). + + cgroup1: blkio: support BFQ weights. + + cgroupv2: set per-device io weights if BFQ IO scheduler is available. + +------------------------------------------------------------------- Old: ---- runc-1.0.0-rc95.tar.xz runc-1.0.0-rc95.tar.xz.asc New: ---- boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch runc-1.0.0.tar.xz runc-1.0.0.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ runc.spec ++++++ --- /var/tmp/diff_new_pack.M1h6dY/_old 2021-07-02 13:27:05.028939015 +0200 +++ /var/tmp/diff_new_pack.M1h6dY/_new 2021-07-02 13:27:05.028939015 +0200 @@ -25,8 +25,8 @@ %define project github.com/opencontainers/runc Name: runc -Version: 1.0.0~rc95 -%define _version 1.0.0-rc95 +Version: 1.0.0 +%define _version 1.0.0 Release: 0 Summary: Tool for spawning and running OCI containers License: Apache-2.0 @@ -36,6 +36,8 @@ Source1: https://github.com/opencontainers/runc/releases/download/v%{_version}/runc.tar.xz.asc#/runc-%{_version}.tar.xz.asc Source2: runc.keyring Source3: runc-rpmlintrc +# FIX-UPSTREAM: Backport of <https://github.com/opencontainers/runc/pull/3055>. boo#1187704 +Patch1: boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch BuildRequires: fdupes BuildRequires: go-go-md2man # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires @@ -69,6 +71,8 @@ %prep %setup -q -n %{name}-%{_version} +# boo#1187704 +%patch1 -p1 %build # build runc ++++++ boo1187704-0001-cgroupv2-ebpf-ignore-inaccessible-existing-programs.patch ++++++ From e54bd299f9e170fe35041c839ab90206f02e4df0 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar@cyphar.com> Date: Thu, 1 Jul 2021 12:55:08 +1000 Subject: [PATCH] cgroupv2: ebpf: ignore inaccessible existing programs This is necessary in order for runc to be able to configure device cgroups with --systemd-cgroup on distributions that have very strict SELinux policies such as openSUSE MicroOS[1]. The core issue here is that systemd is adding its own BPF policy that has an SELinux label such that runc cannot interact with it. In order to work around this, we can just ignore the policy -- in theory this behaviour is not correct but given that the most obvious case (--systemd-cgroup) will still handle updates correctly, this logic is reasonable. (This also contains a backport of [2].) [1]: https://bugzilla.suse.com/show_bug.cgi?id=1182428 [2]: https://github.com/cilium/ebpf/pull/334 Fixes: d0f2c25f521e ("cgroup2: devices: replace all existing filters when attaching") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> --- go.mod | 2 ++ go.sum | 4 ++++ libcontainer/cgroups/ebpf/ebpf_linux.go | 19 ++++++++++++++++--- vendor/github.com/cilium/ebpf/syscalls.go | 5 ++--- vendor/modules.txt | 2 +- 5 files changed, 25 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 6262a12198ca..95d14b12b36c 100644 --- a/go.mod +++ b/go.mod @@ -26,3 +26,5 @@ require ( golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 google.golang.org/protobuf v1.26.0 ) + +replace github.com/cilium/ebpf => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f diff --git a/go.sum b/go.sum index 0bc7fd057207..00bb16d7ff6f 100644 --- a/go.sum +++ b/go.sum @@ -11,6 +11,10 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1 h1:Y+9BQzEwXR1yEhvf843TRwrMgwH7ZbO3arwgZfXPhFU= +github.com/cyphar/ebpf v0.6.1-0.20210701040454-26565c82f4f1/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f h1:MqvjlbU/U6s12v7ru6MbLKIkLlzGMDiMKYi4yGHGz2Q= +github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg= github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= diff --git a/libcontainer/cgroups/ebpf/ebpf_linux.go b/libcontainer/cgroups/ebpf/ebpf_linux.go index fccf3931d6ee..dd119ad4f7a5 100644 --- a/libcontainer/cgroups/ebpf/ebpf_linux.go +++ b/libcontainer/cgroups/ebpf/ebpf_linux.go @@ -59,13 +59,26 @@ func findAttachedCgroupDeviceFilters(dirFd int) ([]*ebpf.Program, error) { // Convert the ids to program handles. progIds = progIds[:size] - programs := make([]*ebpf.Program, len(progIds)) - for idx, progId := range progIds { + programs := make([]*ebpf.Program, 0, len(progIds)) + for _, progId := range progIds { program, err := ebpf.NewProgramFromID(ebpf.ProgramID(progId)) if err != nil { + // We skip over programs that give us -EACCES. This is + // necessary because there may be BPF programs that have been + // attached (such as with --systemd-cgroup) which have an LSM + // label that blocks us from interacting with the program. + // + // Because additional BPF_CGROUP_DEVICE programs only can add + // restrictions, there's no real issue with just ignoring these + // programs (and stops runc from breaking on distributions with + // very strict SELinux policies). + if errors.Is(err, unix.EACCES) { + logrus.Debugf("ignoring existing CGROUP_DEVICE program (prog_id=%v) which cannot be accessed by runc -- likely due to LSM policy", progId) + continue + } return nil, fmt.Errorf("cannot fetch program from id: %w", err) } - programs[idx] = program + programs = append(programs, program) } runtime.KeepAlive(progIds) return programs, nil diff --git a/vendor/github.com/cilium/ebpf/syscalls.go b/vendor/github.com/cilium/ebpf/syscalls.go index c530aadd9a5b..82678eb4043d 100644 --- a/vendor/github.com/cilium/ebpf/syscalls.go +++ b/vendor/github.com/cilium/ebpf/syscalls.go @@ -360,10 +360,9 @@ func wrapObjError(err error) error { return nil } if errors.Is(err, unix.ENOENT) { - return fmt.Errorf("%w", ErrNotExist) + return ErrNotExist } - - return errors.New(err.Error()) + return err } func wrapMapError(err error) error { diff --git a/vendor/modules.txt b/vendor/modules.txt index 6878ffcfb192..2da80d8ee4f6 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -3,7 +3,7 @@ github.com/bits-and-blooms/bitset # github.com/checkpoint-restore/go-criu/v5 v5.0.0 github.com/checkpoint-restore/go-criu/v5 github.com/checkpoint-restore/go-criu/v5/rpc -# github.com/cilium/ebpf v0.6.1 +# github.com/cilium/ebpf v0.6.1 => github.com/cyphar/ebpf v0.6.1-0.20210701060515-e654431ae87f github.com/cilium/ebpf github.com/cilium/ebpf/asm github.com/cilium/ebpf/internal -- 2.32.0 ++++++ runc-1.0.0-rc95.tar.xz -> runc-1.0.0.tar.xz ++++++ ++++ 28370 lines of diff (skipped)