packages/docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docker: sync bugfix

Browse Source 
Change-Id: Ida64f926d5d3a2a1f99c8718918737836e256897
Signed-off-by: jingrui <jingrui@huawei.com>
This commit is contained in:
jingrui 2021-01-18 21:27:04 +08:00
parent a387d4f07c
commit adcc59f71c
14 changed files with 786 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION-openeuler
View File

@ -1 +1 @@
18.09.0.102
18.09.0.105

31
docker-engine-openeuler.spec
View File

@ -1,6 +1,6 @@
Name: docker-engine
Version: 18.09.0
Release: 102
Release: 105
Summary: The open-source application container engine
Group: Tools/Docker
@ -200,7 +200,34 @@ fi
%endif
%changelog
* Sat Dec 28 2020 liuzekun<liuzekun@huawei.com> - 18.09.0-102
* Mon Jan 18 2021 jingrui<jingrui@huawei.com> - 18.09.0-105
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:sync bugfix include
1. fix image cleanup failed.
2. cleanup load tmp files.
3. kill residual container process.
4. resume suspend dm device.
5. dont kill containerd during dockerd starting.
6. handle exit event for restore failed container.
7. wait io with timeout when start failed.
8. support hostname mirror registry.
9. mask unused proc files.
* Tue Dec 8 2020 xiadanni<xiadanni1@huawei.com> - 18.09.0-104
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:runc don't deny all devices when update cgroup resource
* Thu Dec 3 2020 xiadanni<xiadanni1@huawei.com> - 18.09.0-103
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:containerd fix CVE-2020-15257
* Fri Nov 27 2020 liuzekun<liuzekun@huawei.com> - 18.09.0-102
- Type:bugfix
- ID:NA
- CVE:NA

0
patch/0174-docker-add-more-messages-for-ops-when-device-not-fo.patch → patch/0167-dockerd-add-more-messages-for-ops-when-device-not-fo.patch
View File

85
patch/0175-docker-clean-docker-load-leak-files.patch Normal file
View File

@ -0,0 +1,85 @@
From a74f1c3e4ab7c6f4a043904a8e68edf04864d98a Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Wed, 2 Dec 2020 17:20:50 +0800
Subject: [PATCH] docker: clean docker load leak files
Change-Id: I09b66e204f655a9fef660bb85619f5711fb5700b
Signed-off-by: jingrui <jingrui@huawei.com>
---
components/engine/daemon/daemon.go | 39 +++++++++++++++++++
.../daemon/graphdriver/devmapper/deviceset.go | 3 +-
2 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
index 3ff5691257..1acd355a15 100644
--- a/components/engine/daemon/daemon.go
+++ b/components/engine/daemon/daemon.go
@@ -613,11 +613,50 @@ func (daemon *Daemon) restore() error {
group.Wait()
+ daemon.cleanExit()
logrus.Info("Loading containers: done.")
return nil
}
+func (daemon *Daemon) cleanExit() {
+ mnt := filepath.Join(daemon.root, "devicemapper/mnt")
+ if dir, err := ioutil.ReadDir(mnt); err == nil {
+ for _, f := range dir {
+ fname := filepath.Join(mnt, f.Name())
+ data, err := ioutil.ReadFile(fname)
+ if err != nil {
+ continue
+ }
+ if string(data) == "exit" {
+ logrus.Infof("cleanExit remove mnt %s", fname)
+ os.Remove(fname)
+ }
+ }
+ }
+
+ tmp := filepath.Join(daemon.root, "image/devicemapper/layerdb/tmp")
+ if dir, err := ioutil.ReadDir(tmp); err == nil {
+ for _, f := range dir {
+ if strings.Contains(f.Name(), "write-set-") {
+ fname := filepath.Join(tmp, f.Name())
+ logrus.Infof("cleanExit remove layerdb %s", fname)
+ os.RemoveAll(fname)
+ }
+ }
+ }
+
+ if dir, err := ioutil.ReadDir(os.Getenv("TMPDIR")); err == nil {
+ for _, f := range dir {
+ if strings.Contains(f.Name(), "docker-import-") {
+ fname := filepath.Join(os.Getenv("TMPDIR"), f.Name())
+ logrus.Infof("cleanExit remove tmpdir %s", fname)
+ os.RemoveAll(fname)
+ }
+ }
+ }
+}
+
// RestartSwarmContainers restarts any autostart container which has a
// swarm endpoint.
func (daemon *Daemon) RestartSwarmContainers() {
diff --git a/components/engine/daemon/graphdriver/devmapper/deviceset.go b/components/engine/daemon/graphdriver/devmapper/deviceset.go
index ff90c44ce3..750f2b13f8 100644
--- a/components/engine/daemon/graphdriver/devmapper/deviceset.go
+++ b/components/engine/daemon/graphdriver/devmapper/deviceset.go
@@ -2286,8 +2286,9 @@ func (devices *DeviceSet) unmountAndDeactivateAll(dir string) {
if err := unix.Unmount(fullname, unix.MNT_DETACH); err != nil && err != unix.EINVAL {
logger.Warnf("Shutdown unmounting %s, error: %s", fullname, err)
} else if err == nil {
- logger.Debugf("Remove %s", fullname)
+ logger.Infof("cleanExit prepare %s", fullname)
os.RemoveAll(fullname)
+ ioutil.WriteFile(fullname, []byte("exit"), 0600)
}
if devInfo, err := devices.lookupDevice(name); err != nil {
--
2.17.1

62
patch/0176-docker-kill-container-process-if-its-status-is-not-r.patch Normal file
View File

@ -0,0 +1,62 @@
From 544d24895836ec576febaf94be8affde56449fba Mon Sep 17 00:00:00 2001
From: xiadanni1 <xiadanni1@huawei.com>
Date: Fri, 27 Nov 2020 16:31:56 +0800
Subject: [PATCH] docker: kill container process if its status is not running
when start daemon
Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
---
components/engine/daemon/daemon.go | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
index 3ff5691..3cc2a20 100644
--- a/components/engine/daemon/daemon.go
+++ b/components/engine/daemon/daemon.go
@@ -17,8 +17,10 @@ import (
"runtime"
"strings"
"sync"
+ "syscall"
"time"
+ "golang.org/x/sys/unix"
"google.golang.org/grpc"
"github.com/containerd/containerd"
@@ -43,6 +45,7 @@ import (
"github.com/moby/buildkit/util/resolver"
"github.com/moby/buildkit/util/tracing"
"github.com/sirupsen/logrus"
+
// register graph drivers
_ "github.com/docker/docker/daemon/graphdriver/register"
"github.com/docker/docker/daemon/stats"
@@ -51,7 +54,7 @@ import (
"github.com/docker/docker/image"
"github.com/docker/docker/layer"
"github.com/docker/docker/libcontainerd"
- "github.com/docker/docker/migrate/v1"
+ v1 "github.com/docker/docker/migrate/v1"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/locker"
"github.com/docker/docker/pkg/plugingetter"
@@ -389,6 +392,15 @@ func (daemon *Daemon) restore() error {
}
}
+ if alive && !c.IsRunning() && pid > 1 {
+ if c.Pid == 0 {
+ c.Pid = pid
+ }
+ err := unix.Kill(pid, syscall.SIGKILL)
+ logrus.Warnf("process %v is killed as container=%s is alive but not running, err: %v", pid, c.ID, err)
+ return
+ }
+
if c.IsRunning() || c.IsPaused() {
c.RestartManager().Cancel() // manually start containers because some need to wait for swarm networking
--
1.8.3.1

82
patch/0177-resume-suspend-dm-on-start.patch Normal file
View File

@ -0,0 +1,82 @@
From 37e3e3dfb31f30b2599d05f021671f6e682f37d6 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Wed, 9 Dec 2020 17:37:02 +0800
Subject: [PATCH] resume suspend dm on start
Change-Id: Ibe215c80aa62b4d4b464749cc6e995d2e0e845af
Signed-off-by: jingrui <jingrui@huawei.com>
---
components/engine/cmd/dockerd/daemon.go | 43 +++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go
index 0b3fa0e037..dbf37f3338 100644
--- a/components/engine/cmd/dockerd/daemon.go
+++ b/components/engine/cmd/dockerd/daemon.go
@@ -6,6 +6,7 @@ import (
"fmt"
"io/ioutil"
"os"
+ "os/exec"
"path/filepath"
"runtime"
"strings"
@@ -72,6 +73,45 @@ func NewDaemonCli() *DaemonCli {
return &DaemonCli{}
}
+func resumeDM() {
+ c := make(chan struct{})
+ go func() {
+ defer close(c)
+ out, err := exec.Command("dmsetup", "info", "-c", "--sort", "minor", "--noheadings", "--separator", ",", "-o", "attr,name").CombinedOutput()
+ if err != nil {
+ logrus.Errorf("resume-dm dmsetup info failed: %v", err)
+ return
+ }
+
+ args := []string{"resume"}
+ for _, line := range strings.Split(string(out), "\n") {
+ aa := strings.Split(line, ",")
+ if len(aa) != 2 || !strings.Contains(aa[0], "s") || strings.Index(aa[1], "docker-") != 0 {
+ continue
+ }
+ args = append(args, aa[1])
+ }
+ if len(args) == 1 {
+ return
+ }
+
+ logrus.Infof("resume-dm start resume suspended dm %v", args)
+ _, err = exec.Command("dmsetup", args...).CombinedOutput()
+ if err != nil {
+ logrus.Errorf("resume-dm %s failed: %v", err)
+ return
+ }
+ logrus.Infof("resume-dm finished resume suspended dm")
+ }()
+ select {
+ case <-c:
+ return
+ case <-time.After(10*time.Second):
+ logrus.Warnf("resume-dm timeout, continue anyway.")
+ return
+ }
+}
+
func cleanupLocalDB(db string) {
_, err := os.Stat(db)
if err == nil {
@@ -150,6 +190,9 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
})
system.InitLCOW(cli.Config.Experimental)
+ if cli.Config.GraphDriver == "devicemapper" {
+ resumeDM()
+ }
if err := setDefaultUmask(); err != nil {
return fmt.Errorf("Failed to set umask: %v", err)
--
2.17.1

85
patch/0178-docker-skip-kill-and-restart-containerd-during-docke.patch Normal file
View File

@ -0,0 +1,85 @@
From a56def385f835885df056d0d54372111abdc1507 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Sat, 19 Dec 2020 18:56:38 +0800
Subject: [PATCH] docker:skip kill and restart containerd during docker daemon
is starting
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
components/engine/cmd/dockerd/daemon.go | 4 +++-
components/engine/libcontainerd/supervisor/remote_daemon.go | 9 +++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go
index dbf37f3..c25ee0e 100644
--- a/components/engine/cmd/dockerd/daemon.go
+++ b/components/engine/cmd/dockerd/daemon.go
@@ -10,6 +10,7 @@ import (
"path/filepath"
"runtime"
"strings"
+ "sync/atomic"
"time"
containerddefaults "github.com/containerd/containerd/defaults"
@@ -106,7 +107,7 @@ func resumeDM() {
select {
case <-c:
return
- case <-time.After(10*time.Second):
+ case <-time.After(10 * time.Second):
logrus.Warnf("resume-dm timeout, continue anyway.")
return
}
@@ -304,6 +305,7 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
logrus.Info("Daemon has completed initialization")
+ atomic.StoreInt32(&supervisor.IsDockerUp, 1)
cli.d = d
routerOptions, err := newRouterOptions(cli.Config, d)
diff --git a/components/engine/libcontainerd/supervisor/remote_daemon.go b/components/engine/libcontainerd/supervisor/remote_daemon.go
index 62ea58c..19582cd 100644
--- a/components/engine/libcontainerd/supervisor/remote_daemon.go
+++ b/components/engine/libcontainerd/supervisor/remote_daemon.go
@@ -11,6 +11,7 @@ import (
"strconv"
"strings"
"sync"
+ "sync/atomic"
"time"
"github.com/BurntSushi/toml"
@@ -19,6 +20,7 @@ import (
"github.com/docker/docker/pkg/system"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
const (
@@ -31,6 +33,8 @@ const (
pidFile = "containerd.pid"
)
+var IsDockerUp int32
+
type pluginConfigs struct {
Plugins map[string]interface{} `toml:"plugins"`
}
@@ -314,6 +318,11 @@ func (r *remote) monitorDaemon(ctx context.Context) {
}
if system.IsProcessAlive(r.daemonPid) {
+ if atomic.LoadInt32(&IsDockerUp) == 0 {
+ r.logger.WithField("pid", r.daemonPid).Info("dockerd is starting, skip killing containerd")
+ unix.Kill(r.daemonPid, unix.SIGCONT)
+ continue
+ }
r.logger.WithField("pid", r.daemonPid).Info("killing and restarting containerd")
r.killDaemon()
}
--
1.8.3.1

107
patch/0179-handle-exit-force.patch Normal file
View File

@ -0,0 +1,107 @@
From 66b6e3065b160bd7d480f183156acbe1cb9bf2e0 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Tue, 15 Dec 2020 16:05:56 +0800
Subject: [PATCH] handle exit force
Change-Id: If08483f57b4f04d6c4961c9f588e4d599009eddc
Signed-off-by: jingrui <jingrui@huawei.com>
---
components/engine/daemon/monitor.go | 9 +++++++++
components/engine/libcontainerd/client_daemon.go | 14 ++++++++++++++
components/engine/libcontainerd/types.go | 1 +
.../plugin/executor/containerd/containerd.go | 5 +++++
4 files changed, 29 insertions(+)
diff --git a/components/engine/daemon/monitor.go b/components/engine/daemon/monitor.go
index e041bd5c69..1b577c0dae 100644
--- a/components/engine/daemon/monitor.go
+++ b/components/engine/daemon/monitor.go
@@ -26,6 +26,14 @@ func (daemon *Daemon) setStateCounter(c *container.Container) {
}
}
+func (daemon *Daemon) IsContainerRunning(id string) bool {
+ c, err := daemon.GetContainer(id)
+ if err != nil {
+ return false
+ }
+ return c.IsRunning()
+}
+
// ProcessEvent is called by libcontainerd whenever an event occurs
func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libcontainerd.EventInfo) error {
c, err := daemon.GetContainer(id)
@@ -51,6 +59,7 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc
case libcontainerd.EventExit:
if int(ei.Pid) == c.Pid {
c.Lock()
+ logrus.Infof("handle exit event cid=%s pid=%d", c.ID, c.Pid)
_, _, err := daemon.containerd.DeleteTask(context.Background(), c.ID)
if err != nil {
logrus.WithError(err).Warnf("failed to delete container %s from containerd", c.ID)
diff --git a/components/engine/libcontainerd/client_daemon.go b/components/engine/libcontainerd/client_daemon.go
index 05c439c540..502796bd25 100755
--- a/components/engine/libcontainerd/client_daemon.go
+++ b/components/engine/libcontainerd/client_daemon.go
@@ -517,9 +517,16 @@ func (c *client) DeleteTask(ctx context.Context, containerID string) (uint32, ti
return status.ExitCode(), status.ExitTime(), nil
}
+func (c *client) deleteForce(ctx context.Context, id string) {
+ if ctr, err := c.client.LoadContainer(ctx, id); err == nil {
+ logrus.Warnf("delete containerd meta id=%s force: error=%v", id, ctr.Delete(ctx))
+ }
+}
+
func (c *client) Delete(ctx context.Context, containerID string) error {
ctr := c.getContainer(containerID)
if ctr == nil {
+ c.deleteForce(ctx, containerID)
return errors.WithStack(newNotFoundError("no such container"))
}
@@ -907,6 +914,13 @@ func (c *client) processEventStream(ctx context.Context, ns string) {
ctr = c.getContainer(ei.ContainerID)
if ctr == nil {
c.logger.WithField("container", ei.ContainerID).Warn("unknown container")
+ if et == EventExit && ei.ProcessID == ei.ContainerID && c.backend.IsContainerRunning(ei.ContainerID) {
+ c.logger.WithField("container", ei.ContainerID).Warn("handle exit event force ...")
+ c.eventQ.append(ei.ContainerID, func() {
+ c.logger.WithField("container", ei.ContainerID).Warnf("handle exit event force: error=%v",
+ c.backend.ProcessEvent(ei.ContainerID, et, ei))
+ })
+ }
continue
}
diff --git a/components/engine/libcontainerd/types.go b/components/engine/libcontainerd/types.go
index c4de5e674d..0b9df9193b 100644
--- a/components/engine/libcontainerd/types.go
+++ b/components/engine/libcontainerd/types.go
@@ -60,6 +60,7 @@ type EventInfo struct {
// Backend defines callbacks that the client of the library needs to implement.
type Backend interface {
ProcessEvent(containerID string, event EventType, ei EventInfo) error
+ IsContainerRunning(id string) bool
}
// Client provides access to containerd features.
diff --git a/components/engine/plugin/executor/containerd/containerd.go b/components/engine/plugin/executor/containerd/containerd.go
index a3401dce79..f75771fe41 100644
--- a/components/engine/plugin/executor/containerd/containerd.go
+++ b/components/engine/plugin/executor/containerd/containerd.go
@@ -141,6 +141,11 @@ func (e *Executor) ProcessEvent(id string, et libcontainerd.EventType, ei libcon
return nil
}
+func (e *Executor) IsContainerRunning(id string) bool {
+ ok, _ := e.IsRunning(id)
+ return ok
+}
+
type rio struct {
cio.IO
--
2.17.1

47
patch/0180-wait-io-with-timeout-in-task-delete.patch Normal file
View File

@ -0,0 +1,47 @@
From 0f3aa35a1c38fe7fc49cd6fb66fc47a993ad6bb8 Mon Sep 17 00:00:00 2001
From: jingrui <jingrui@huawei.com>
Date: Wed, 16 Dec 2020 18:39:00 +0800
Subject: [PATCH] wait io with timeout in task delete
Change-Id: I23ed40d69279b14a216b6ffb9988439475be5cad
Signed-off-by: jingrui <jingrui@huawei.com>
---
.../github.com/containerd/containerd/task.go | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/components/engine/vendor/github.com/containerd/containerd/task.go b/components/engine/vendor/github.com/containerd/containerd/task.go
index 6806e11620..7421432bed 100644
--- a/components/engine/vendor/github.com/containerd/containerd/task.go
+++ b/components/engine/vendor/github.com/containerd/containerd/task.go
@@ -44,6 +44,7 @@ import (
"github.com/opencontainers/image-spec/specs-go/v1"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// UnknownExitStatus is returned when containerd is unable to
@@ -287,8 +288,18 @@ func (t *task) Delete(ctx context.Context, opts ...ProcessDeleteOpts) (*ExitStat
return nil, errors.Wrapf(errdefs.ErrFailedPrecondition, "task must be stopped before deletion: %s", status.Status)
}
if t.io != nil {
- t.io.Cancel()
- t.io.Wait()
+ done := make(chan struct{})
+ go func() {
+ t.io.Cancel()
+ t.io.Wait()
+ close(done)
+ }()
+ select {
+ case <-time.After(3 * time.Second):
+ logrus.Warnf("task delete wait io close timeout, some fifo io may be dropped.")
+ case <-done:
+ // ok
+ }
}
r, err := t.client.TaskService().Delete(ctx, &tasks.DeleteTaskRequest{
ContainerID: t.id,
--
2.17.1

137
patch/0181-docker-do-not-return-when-matched-registry-mirror.patch Normal file
View File

@ -0,0 +1,137 @@
From 8cc3f33020152d51d38927593ba49ad3dfacf62e Mon Sep 17 00:00:00 2001
From: shaobao.feng <shaobao.feng@huawei.com>
Date: Mon, 7 Dec 2020 15:30:11 +0800
Subject: [PATCH] docker: do not return when matched registry mirror
Change-Id: I5317b91b60293e1f4c50f5a327790c5509537f9b
reason: append hostname itself to make sure the hostname itself will be tried.
---
components/engine/registry/service_v2.go | 86 +++++++++++-------------
1 file changed, 41 insertions(+), 45 deletions(-)
diff --git a/components/engine/registry/service_v2.go b/components/engine/registry/service_v2.go
index adeb10c550..df66cd7451 100644
--- a/components/engine/registry/service_v2.go
+++ b/components/engine/registry/service_v2.go
@@ -19,8 +19,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
if reg != nil {
var regEndpoints []registrytypes.Endpoint = reg.Mirrors
- lastIndex := len(regEndpoints) - 1
- for i, regEP := range regEndpoints {
+ for _, regEP := range regEndpoints {
official := regEP.Address == registrytypes.DefaultEndpoint.Address
regURL := regEP.GetURL()
@@ -41,49 +40,48 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
TLSConfig: tlsConfig,
Prefix: hostname,
// the last endpoint is not considered a mirror
- Mirror: i != lastIndex,
+ Mirror: true,
})
}
- return endpoints, nil
+ // don't return here, otherwise the hostname itself will not be appended to the endpoints,
+ // and the hostname itself will not be tried, which is not a desired action.
}
- } else {
+ }
+ if hostname == DefaultNamespace || hostname == IndexHostname {
tlsConfig = tlsconfig.ServerDefault()
- if hostname == DefaultNamespace || hostname == IndexHostname {
- // v2 mirrors
- for _, mirror := range s.config.Mirrors {
- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
- mirror = "https://" + mirror
- }
- mirrorURL, err := url.Parse(mirror)
- if err != nil {
- return nil, err
- }
- mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL)
- if err != nil {
- return nil, err
- }
- endpoints = append(endpoints, APIEndpoint{
- URL: mirrorURL,
- // guess mirrors are v2
- Version: APIVersion2,
- Mirror: true,
- TrimHostname: true,
- TLSConfig: mirrorTLSConfig,
- })
+ // v2 mirrors
+ for _, mirror := range s.config.Mirrors {
+ if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
+ mirror = "https://" + mirror
+ }
+ mirrorURL, err := url.Parse(mirror)
+ if err != nil {
+ return nil, err
+ }
+ mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL)
+ if err != nil {
+ return nil, err
}
- // v2 registry
endpoints = append(endpoints, APIEndpoint{
- URL: DefaultV2Registry,
+ URL: mirrorURL,
+ // guess mirrors are v2
Version: APIVersion2,
- Official: true,
+ Mirror: true,
TrimHostname: true,
- TLSConfig: tlsConfig,
+ TLSConfig: mirrorTLSConfig,
})
-
- return endpoints, nil
}
- }
+ // v2 registry
+ endpoints = append(endpoints, APIEndpoint{
+ URL: DefaultV2Registry,
+ Version: APIVersion2,
+ Official: true,
+ TrimHostname: true,
+ TLSConfig: tlsConfig,
+ })
+ return endpoints, nil
+ }
ana := allowNondistributableArtifacts(s.config, hostname)
tlsConfig, err = s.tlsConfig(hostname)
@@ -91,18 +89,16 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
return nil, err
}
- endpoints = []APIEndpoint{
- {
- URL: &url.URL{
- Scheme: "https",
- Host: hostname,
- },
- Version: APIVersion2,
- AllowNondistributableArtifacts: ana,
- TrimHostname: true,
- TLSConfig: tlsConfig,
+ endpoints = append(endpoints, APIEndpoint{
+ URL: &url.URL{
+ Scheme: "https",
+ Host: hostname,
},
- }
+ Version: APIVersion2,
+ AllowNondistributableArtifacts: ana,
+ TrimHostname: true,
+ TLSConfig: tlsConfig,
+ })
if tlsConfig.InsecureSkipVerify {
endpoints = append(endpoints, APIEndpoint{
--
2.17.1

29
patch/0183-add-masked-paths-pagealloc_module-and-slaballoc_stat.patch Normal file
View File

@ -0,0 +1,29 @@
From fada5f66fcc555d706603dd3c7832e78e9955501 Mon Sep 17 00:00:00 2001
From: liuzekun <liuzekun@huawei.com>
Date: Thu, 31 Dec 2020 03:07:42 -0500
Subject: add masked paths pagealloc_module and slaballoc_statistics
Signed-off-by: liuzekun <liuzekun@huawei.com>
---
components/engine/oci/defaults.go | 2 ++
1 file changed, 2 insertions(+)
diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
index e763cb75..ff027d89 100644
--- a/components/engine/oci/defaults.go
+++ b/components/engine/oci/defaults.go
@@ -135,9 +135,11 @@ func DefaultLinuxSpec() specs.Spec {
"/proc/oom_extend",
"/proc/pagealloc_statistics",
"/proc/pagealloc_bt",
+ "/proc/pagealloc_module",
"/proc/pin_memory",
"/proc/slaballoc_bt",
"/proc/slaballoc_module",
+ "/proc/slaballoc_statistics",
"/proc/sched_debug",
"/proc/scsi",
"/proc/sig_catch",
--
2.19.1

48
patch/0184-docker-wait-io-with-timeout-when-process-Start-faile.patch Normal file
View File

@ -0,0 +1,48 @@
From ef64f4dd5d532b550bb68f60e6373e139fdf5382 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Fri, 15 Jan 2021 11:23:04 +0800
Subject: [PATCH] docker: wait io with timeout when process Start failed
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
.../vendor/github.com/containerd/containerd/process.go | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/components/engine/vendor/github.com/containerd/containerd/process.go b/components/engine/vendor/github.com/containerd/containerd/process.go
index ff7d838..4d0dca9 100644
--- a/components/engine/vendor/github.com/containerd/containerd/process.go
+++ b/components/engine/vendor/github.com/containerd/containerd/process.go
@@ -26,6 +26,7 @@ import (
"github.com/containerd/containerd/cio"
"github.com/containerd/containerd/errdefs"
"github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
)
// Process represents a system process
@@ -111,9 +112,19 @@ func (p *process) Start(ctx context.Context) error {
ExecID: p.id,
})
if err != nil {
- p.io.Cancel()
- p.io.Wait()
- p.io.Close()
+ done := make(chan struct{})
+ go func() {
+ p.io.Cancel()
+ p.io.Wait()
+ p.io.Close()
+ close(done)
+ }()
+ select {
+ case <-time.After(30 * time.Second):
+ logrus.Warnf("process start failed with error %v, wait io close timeout, some fifo io may be dropped.", err)
+ case <-done:
+ // ok
+ }
return errdefs.FromGRPC(err)
}
p.pid = r.Pid
--
1.8.3.1

63
patch/0185-docker-delete-image-reference-when-failed-to-get-ima.patch Normal file
View File

@ -0,0 +1,63 @@
From cfc92becb2605d67a7391c43261e698d0fdd57bd Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Fri, 15 Jan 2021 15:37:42 +0800
Subject: [PATCH] docker: delete image reference when failed to get image
configuration to avoid docker pull error
according to patch 0110-docker-Fix-can-t-pull-image-while-the-image-i.patch,
if the layers of image has been damaged, image reference should be
deleted from repositories.json to avoid docker pull failed.
however, when imageStore.Get failed, isExist flag has not been set to
false, which cause the image reference has still not been deleted, only
warning is printed.
flood warnings printed every time user restarts docker daemon, like:
Jan 15 14:09:52 localhost dockerd[3952467]:
time="2021-01-15T14:09:52.705664179+08:00" level=warning msg="Failed to
get image configration for image id
sha256:d0a015ffac5ba3b9d2a641de56b3b2ed24409b7082c7811ebac4c2f4977b0965,
error: failed to get digest
sha256:d0a015ffac5ba3b9d2a641de56b3b2ed24409b7082c7811ebac4c2f4977b0965:
open
/var/lib/docker/image/devicemapper/imagedb/content/sha256/d0a015ffac5ba3b9d2a641de56b3b2ed24409b7082c7811ebac4c2f4977b0965:
no such file or directory"
so we fix the logic, delete image reference when failed to get image
configuration.
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
components/engine/daemon/daemon.go | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
index e826f6a..ed268d2 100644
--- a/components/engine/daemon/daemon.go
+++ b/components/engine/daemon/daemon.go
@@ -1097,11 +1097,10 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
return nil, err
}
- // delete reference of image not nornamlly loaded to imageStore
- var isExist bool
+ // delete reference of image not normally loaded to imageStore
for _, imageID := range rs.List() {
+ isExist := false
if img, err := imageStore.Get(image.ID(imageID)); err == nil {
- isExist = false
if chainID := img.RootFS.ChainID(); chainID != "" {
l, err := layerStores[runtime.GOOS].Get(chainID)
if err == nil {
@@ -1112,7 +1111,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
isExist = true
}
} else {
- logrus.Warnf("Failed to get image configration for image id %s, error: %s", imageID, err)
+ logrus.Warnf("Failed to get image configuration for image id %s, error: %s", imageID, err)
}
// If the image not exist locally, delete its reference
--
1.8.3.1

12
series.conf
View File

@ -162,12 +162,22 @@ patch/0163-docker-delete-event-is-not-need-to-process.patch
patch/0164-docker-stat-process-exit-file-when-kill-process-dire.patch
patch/0165-docker-sync-cli-vendor.patch
patch/0167-docker-fix-CVE-2020-13401.patch
patch/0167-dockerd-add-more-messages-for-ops-when-device-not-fo.patch
patch/0168-docker-do-not-add-w-to-LDFLAGS.patch
patch/0169-docker-add-files-in-proc-for-mask.patch
patch/0170-docker-fix-docker-load-files-leak.patch
patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch
patch/0172-docker-fix-panic-on-single-character-volumes.patch
patch/0173-docker-fix-stats-memory-usage-display-error.patch
patch/0174-docker-add-more-messages-for-ops-when-device-not-fo.patch
patch/0175-docker-mask-proc-pin_memory.patch
patch/0175-docker-clean-docker-load-leak-files.patch
patch/0176-docker-kill-container-process-if-its-status-is-not-r.patch
patch/0177-resume-suspend-dm-on-start.patch
patch/0178-docker-skip-kill-and-restart-containerd-during-docke.patch
patch/0179-handle-exit-force.patch
patch/0180-wait-io-with-timeout-in-task-delete.patch
patch/0181-docker-do-not-return-when-matched-registry-mirror.patch
patch/0183-add-masked-paths-pagealloc_module-and-slaballoc_stat.patch
patch/0184-docker-wait-io-with-timeout-when-process-Start-faile.patch
patch/0185-docker-delete-image-reference-when-failed-to-get-ima.patch
#end