This fix updates runc to 0351df1c5a66838d0c392b4ac4cf9450de844e2d
With this fix the warnings generated by netgo and dlopen by go 1.9
are addressed.
See
- opencontainers/runc#1577
- opencontainers/runc#1579
This fix is part of the efforts for go 1.9 (#33892)
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
... | ... |
@@ -3,7 +3,7 @@ |
3 | 3 |
TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a |
4 | 4 |
|
5 | 5 |
# When updating RUNC_COMMIT, also update runc in vendor.conf accordingly |
6 |
-RUNC_COMMIT=1c81e2a794c6e26a4c650142ae8893c47f619764 |
|
6 |
+RUNC_COMMIT=0351df1c5a66838d0c392b4ac4cf9450de844e2d |
|
7 | 7 |
CONTAINERD_COMMIT=06b9cb35161009dcb7123345749fef02f7cea8e0 |
8 | 8 |
TINI_COMMIT=949e6facb77383876aeff8a6944dde66b3089574 |
9 | 9 |
LIBNETWORK_COMMIT=7b2b1feb1de4817d522cc372af149ff48d25028e |
... | ... |
@@ -66,7 +66,7 @@ github.com/pborman/uuid v1.0 |
66 | 66 |
google.golang.org/grpc v1.3.0 |
67 | 67 |
|
68 | 68 |
# When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly |
69 |
-github.com/opencontainers/runc 1c81e2a794c6e26a4c650142ae8893c47f619764 |
|
69 |
+github.com/opencontainers/runc 0351df1c5a66838d0c392b4ac4cf9450de844e2d |
|
70 | 70 |
github.com/opencontainers/image-spec 372ad780f63454fbbbbcc7cf80e5b90245c13e13 |
71 | 71 |
github.com/opencontainers/runtime-spec v1.0.0 |
72 | 72 |
|
... | ... |
@@ -187,6 +187,10 @@ type Config struct { |
187 | 187 |
|
188 | 188 |
// Rootless specifies whether the container is a rootless container. |
189 | 189 |
Rootless bool `json:"rootless"` |
190 |
+ |
|
191 |
+ // IntelRdt specifies settings for Intel RDT/CAT group that the container is placed into |
|
192 |
+ // to limit the resources (e.g., L3 cache) the container has available |
|
193 |
+ IntelRdt *IntelRdt `json:"intel_rdt,omitempty"` |
|
190 | 194 |
} |
191 | 195 |
|
192 | 196 |
type Hooks struct { |
... | ... |
@@ -1,3 +1,4 @@ |
1 |
+ |
|
1 | 2 |
#define _GNU_SOURCE |
2 | 3 |
#include <endian.h> |
3 | 4 |
#include <errno.h> |
... | ... |
@@ -19,6 +20,8 @@ |
19 | 19 |
#include <sys/prctl.h> |
20 | 20 |
#include <sys/socket.h> |
21 | 21 |
#include <sys/types.h> |
22 |
+#include <sys/wait.h> |
|
23 |
+ |
|
22 | 24 |
|
23 | 25 |
#include <linux/limits.h> |
24 | 26 |
#include <linux/netlink.h> |
... | ... |
@@ -64,7 +67,13 @@ struct clone_t { |
64 | 64 |
|
65 | 65 |
struct nlconfig_t { |
66 | 66 |
char *data; |
67 |
+ |
|
68 |
+ /* Process settings. */ |
|
67 | 69 |
uint32_t cloneflags; |
70 |
+ char *oom_score_adj; |
|
71 |
+ size_t oom_score_adj_len; |
|
72 |
+ |
|
73 |
+ /* User namespace settings.*/ |
|
68 | 74 |
char *uidmap; |
69 | 75 |
size_t uidmap_len; |
70 | 76 |
char *gidmap; |
... | ... |
@@ -72,9 +81,13 @@ struct nlconfig_t { |
72 | 72 |
char *namespaces; |
73 | 73 |
size_t namespaces_len; |
74 | 74 |
uint8_t is_setgroup; |
75 |
+ |
|
76 |
+ /* Rootless container settings.*/ |
|
75 | 77 |
uint8_t is_rootless; |
76 |
- char *oom_score_adj; |
|
77 |
- size_t oom_score_adj_len; |
|
78 |
+ char *uidmappath; |
|
79 |
+ size_t uidmappath_len; |
|
80 |
+ char *gidmappath; |
|
81 |
+ size_t gidmappath_len; |
|
78 | 82 |
}; |
79 | 83 |
|
80 | 84 |
/* |
... | ... |
@@ -89,6 +102,8 @@ struct nlconfig_t { |
89 | 89 |
#define SETGROUP_ATTR 27285 |
90 | 90 |
#define OOM_SCORE_ADJ_ATTR 27286 |
91 | 91 |
#define ROOTLESS_ATTR 27287 |
92 |
+#define UIDMAPPATH_ATTR 27288 |
|
93 |
+#define GIDMAPPATH_ATTR 27289 |
|
92 | 94 |
|
93 | 95 |
/* |
94 | 96 |
* Use the raw syscall for versions of glibc which don't include a function for |
... | ... |
@@ -191,22 +206,96 @@ static void update_setgroups(int pid, enum policy_t setgroup) |
191 | 191 |
} |
192 | 192 |
} |
193 | 193 |
|
194 |
-static void update_uidmap(int pid, char *map, size_t map_len) |
|
194 |
+static int try_mapping_tool(const char *app, int pid, char *map, size_t map_len) |
|
195 |
+{ |
|
196 |
+ int child; |
|
197 |
+ |
|
198 |
+ /* |
|
199 |
+ * If @app is NULL, execve will segfault. Just check it here and bail (if |
|
200 |
+ * we're in this path, the caller is already getting desparate and there |
|
201 |
+ * isn't a backup to this failing). This usually would be a configuration |
|
202 |
+ * or programming issue. |
|
203 |
+ */ |
|
204 |
+ if (!app) |
|
205 |
+ bail("mapping tool not present"); |
|
206 |
+ |
|
207 |
+ child = fork(); |
|
208 |
+ if (child < 0) |
|
209 |
+ bail("failed to fork"); |
|
210 |
+ |
|
211 |
+ if (!child) { |
|
212 |
+#define MAX_ARGV 20 |
|
213 |
+ char *argv[MAX_ARGV]; |
|
214 |
+ char *envp[] = {NULL}; |
|
215 |
+ char pid_fmt[16]; |
|
216 |
+ int argc = 0; |
|
217 |
+ char *next; |
|
218 |
+ |
|
219 |
+ snprintf(pid_fmt, 16, "%d", pid); |
|
220 |
+ |
|
221 |
+ argv[argc++] = (char *) app; |
|
222 |
+ argv[argc++] = pid_fmt; |
|
223 |
+ /* |
|
224 |
+ * Convert the map string into a list of argument that |
|
225 |
+ * newuidmap/newgidmap can understand. |
|
226 |
+ */ |
|
227 |
+ |
|
228 |
+ while (argc < MAX_ARGV) { |
|
229 |
+ if (*map == '\0') { |
|
230 |
+ argv[argc++] = NULL; |
|
231 |
+ break; |
|
232 |
+ } |
|
233 |
+ argv[argc++] = map; |
|
234 |
+ next = strpbrk(map, "\n "); |
|
235 |
+ if (next == NULL) |
|
236 |
+ break; |
|
237 |
+ *next++ = '\0'; |
|
238 |
+ map = next + strspn(next, "\n "); |
|
239 |
+ } |
|
240 |
+ |
|
241 |
+ execve(app, argv, envp); |
|
242 |
+ bail("failed to execv"); |
|
243 |
+ } else { |
|
244 |
+ int status; |
|
245 |
+ |
|
246 |
+ while (true) { |
|
247 |
+ if (waitpid(child, &status, 0) < 0) { |
|
248 |
+ if (errno == EINTR) |
|
249 |
+ continue; |
|
250 |
+ bail("failed to waitpid"); |
|
251 |
+ } |
|
252 |
+ if (WIFEXITED(status) || WIFSIGNALED(status)) |
|
253 |
+ return WEXITSTATUS(status); |
|
254 |
+ } |
|
255 |
+ } |
|
256 |
+ |
|
257 |
+ return -1; |
|
258 |
+} |
|
259 |
+ |
|
260 |
+static void update_uidmap(const char *path, int pid, char *map, size_t map_len) |
|
195 | 261 |
{ |
196 | 262 |
if (map == NULL || map_len <= 0) |
197 | 263 |
return; |
198 | 264 |
|
199 |
- if (write_file(map, map_len, "/proc/%d/uid_map", pid) < 0) |
|
200 |
- bail("failed to update /proc/%d/uid_map", pid); |
|
265 |
+ if (write_file(map, map_len, "/proc/%d/uid_map", pid) < 0) { |
|
266 |
+ if (errno != EPERM) |
|
267 |
+ bail("failed to update /proc/%d/uid_map", pid); |
|
268 |
+ if (try_mapping_tool(path, pid, map, map_len)) |
|
269 |
+ bail("failed to use newuid map on %d", pid); |
|
270 |
+ } |
|
201 | 271 |
} |
202 | 272 |
|
203 |
-static void update_gidmap(int pid, char *map, size_t map_len) |
|
273 |
+static void update_gidmap(const char *path, int pid, char *map, size_t map_len) |
|
204 | 274 |
{ |
205 | 275 |
if (map == NULL || map_len <= 0) |
206 | 276 |
return; |
207 | 277 |
|
208 |
- if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0) |
|
209 |
- bail("failed to update /proc/%d/gid_map", pid); |
|
278 |
+ if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0) { |
|
279 |
+ if (errno != EPERM) |
|
280 |
+ bail("failed to update /proc/%d/gid_map", pid); |
|
281 |
+ if (try_mapping_tool(path, pid, map, map_len)) |
|
282 |
+ bail("failed to use newgid map on %d", pid); |
|
283 |
+ } |
|
210 | 284 |
} |
211 | 285 |
|
212 | 286 |
static void update_oom_score_adj(char *data, size_t len) |
... | ... |
@@ -350,6 +439,14 @@ static void nl_parse(int fd, struct nlconfig_t *config) |
350 | 350 |
config->gidmap = current; |
351 | 351 |
config->gidmap_len = payload_len; |
352 | 352 |
break; |
353 |
+ case UIDMAPPATH_ATTR: |
|
354 |
+ config->uidmappath = current; |
|
355 |
+ config->uidmappath_len = payload_len; |
|
356 |
+ break; |
|
357 |
+ case GIDMAPPATH_ATTR: |
|
358 |
+ config->gidmappath = current; |
|
359 |
+ config->gidmappath_len = payload_len; |
|
360 |
+ break; |
|
353 | 361 |
case SETGROUP_ATTR: |
354 | 362 |
config->is_setgroup = readint8(current); |
355 | 363 |
break; |
... | ... |
@@ -596,8 +693,8 @@ void nsexec(void) |
596 | 596 |
update_setgroups(child, SETGROUPS_DENY); |
597 | 597 |
|
598 | 598 |
/* Set up mappings. */ |
599 |
- update_uidmap(child, config.uidmap, config.uidmap_len); |
|
600 |
- update_gidmap(child, config.gidmap, config.gidmap_len); |
|
599 |
+ update_uidmap(config.uidmappath, child, config.uidmap, config.uidmap_len); |
|
600 |
+ update_gidmap(config.gidmappath, child, config.gidmap, config.gidmap_len); |
|
601 | 601 |
|
602 | 602 |
s = SYNC_USERMAP_ACK; |
603 | 603 |
if (write(syncfd, &s, sizeof(s)) != sizeof(s)) { |
... | ... |
@@ -18,4 +18,8 @@ github.com/golang/protobuf 18c9bb3261723cd5401db4d0c9fbc5c3b6c70fe8 |
18 | 18 |
github.com/docker/docker 0f5c9d301b9b1cca66b3ea0f9dec3b5317d3686d |
19 | 19 |
github.com/docker/go-units v0.2.0 |
20 | 20 |
github.com/urfave/cli d53eb991652b1d438abdd34ce4bfa3ef1539108e |
21 |
-golang.org/x/sys 0e0164865330d5cf1c00247be08330bf96e2f87c https://github.com/golang/sys |
|
21 |
+golang.org/x/sys 7ddbeae9ae08c6a06a59597f0c9edbc5ff2444ce https://github.com/golang/sys |
|
22 |
+ |
|
23 |
+# console dependencies |
|
24 |
+github.com/containerd/console 84eeaae905fa414d03e07bcd6c8d3f19e7cf180e |
|
25 |
+github.com/pkg/errors v0.8.0 |