packages/iSulad
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!662 [sync] PR-659: upgrade from upstream

Browse Source 
* upgrade from upstream
This commit is contained in:
openeuler-sync-bot 2024-02-05 01:34:02 +00:00 committed by haozi007
parent fae5edb12b
commit 75b3c2d391
18 changed files with 1863 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
0182-fix-stopp-removes-cont-error-remove-inspect-error-lo.patch Normal file
View File

@ -0,0 +1,77 @@
From 9f67d23b81babd5be844d1e5abad6fbbe74a3aca Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Tue, 19 Dec 2023 18:31:30 +0800
Subject: [PATCH 182/198] fix stopp removes cont error & remove inspect error
log
Signed-off-by: jikai <jikai11@huawei.com>
---
.../cri_pod_sandbox_manager_service_impl.cc | 36 ++++++++-----------
.../container_cb/execution_information.c | 2 +-
2 files changed, 15 insertions(+), 23 deletions(-)
diff --git a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc
index edf4dc81..da23cb21 100644
--- a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc
+++ b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc
@@ -663,30 +663,22 @@ auto PodSandboxManagerServiceImpl::GetRealSandboxIDToStop(const std::string &pod
std::map<std::string, std::string> &stdAnnos, Errors &error)
-> int
{
- Errors statusErr;
+ auto status = PodSandboxStatus(podSandboxID, error);
+ if (error.NotEmpty()) {
+ return -1;
+ }
- auto status = PodSandboxStatus(podSandboxID, statusErr);
- if (statusErr.Empty()) {
- if (status->linux().namespaces().has_options()) {
- hostNetwork = (status->linux().namespaces().options().network() == runtime::v1alpha2::NamespaceMode::NODE);
- }
- // if metadata is invalid, don't return -1 and continue stopping pod
- if (status->has_metadata()) {
- name = status->metadata().name();
- ns = status->metadata().namespace_();
- }
- realSandboxID = status->id();
- CRIHelpers::ProtobufAnnoMapToStd(status->annotations(), stdAnnos);
- } else {
- if (CRIHelpers::IsContainerNotFoundError(statusErr.GetMessage())) {
- WARN("Both sandbox container and checkpoint for id %s could not be found. "
- "Proceed without further sandbox information.",
- podSandboxID.c_str());
- } else {
- error.Errorf("failed to get sandbox status: %s", statusErr.GetCMessage());
- return -1;
- }
+ if (status->linux().namespaces().has_options()) {
+ hostNetwork = (status->linux().namespaces().options().network() == runtime::v1alpha2::NamespaceMode::NODE);
}
+ // if metadata is invalid, don't return -1 and continue stopping pod
+ if (status->has_metadata()) {
+ name = status->metadata().name();
+ ns = status->metadata().namespace_();
+ }
+ realSandboxID = status->id();
+ CRIHelpers::ProtobufAnnoMapToStd(status->annotations(), stdAnnos);
+
if (realSandboxID.empty()) {
realSandboxID = podSandboxID;
}
diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c
index ba33bdfa..6489797d 100644
--- a/src/daemon/executor/container_cb/execution_information.c
+++ b/src/daemon/executor/container_cb/execution_information.c
@@ -909,7 +909,7 @@ static int inspect_container_helper(const char *id, int timeout, char **containe
inspect = inspect_container(id, timeout, true);
if (inspect == NULL) {
- ERROR("Failed to inspect container:%s", id);
+ DEBUG("Failed to inspect container:%s", id);
ret = -1;
goto out;
}
--
2.25.1

26
0183-check-if-shim-log.json-is-a-symlink.patch Normal file
View File

@ -0,0 +1,26 @@
From c8d940c54bd1183ffbe918f75af063a90e8677d4 Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Sun, 24 Dec 2023 14:04:19 +0800
Subject: [PATCH 183/198] check if shim-log.json is a symlink
Signed-off-by: jikai <jikai11@huawei.com>
---
src/cmd/isulad-shim/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cmd/isulad-shim/common.c b/src/cmd/isulad-shim/common.c
index 4a84cf40..2c0a4e3a 100644
--- a/src/cmd/isulad-shim/common.c
+++ b/src/cmd/isulad-shim/common.c
@@ -33,7 +33,7 @@ int g_log_fd = -1;
int init_shim_log(void)
{
- g_log_fd = open_no_inherit(SHIM_LOG_NAME, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0640);
+ g_log_fd = open_no_inherit(SHIM_LOG_NAME, O_CREAT | O_WRONLY | O_APPEND | O_SYNC | O_NOFOLLOW, 0640);
if (g_log_fd < 0) {
return SHIM_ERR;
}
--
2.25.1

60
0184-bugfix-ignore-some-unsupported-file-types-when-archi.patch Normal file
View File

@ -0,0 +1,60 @@
From 6d602103ad975c51f2ec844c89f5e87f82768849 Mon Sep 17 00:00:00 2001
From: l00804245 <liuxu156@huawei.com>
Date: Tue, 2 Jan 2024 10:39:24 +0800
Subject: [PATCH 184/198] bugfix:ignore some unsupported file types when
archiving
---
src/utils/tar/util_archive.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index 19cfdd12..86947c0b 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -1055,6 +1055,29 @@ static void link_kvfree(void *key, void *value)
return;
}
+static bool check_archive_write_entry_filetype_unsupported(struct archive_entry *entry)
+{
+ bool unsupported = true;
+ /*
+ * The file types to be archived must comply with the pax interchange format,
+ * the following switch-case lists the file types that meet the standard,
+ * the socket and other file types do not meet the standard, therefore, archiving is not supported.
+ */
+ switch (archive_entry_filetype(entry)) {
+ case AE_IFBLK:
+ case AE_IFCHR:
+ case AE_IFIFO:
+ case AE_IFLNK:
+ case AE_IFREG:
+ case AE_IFDIR:
+ unsupported = false;
+ break;
+ default: /* AE_IFSOCK and unknown */
+ break;
+ }
+ return unsupported;
+}
+
int tar_handler(struct archive *r, struct archive *w, const char *src_base, const char *dst_base)
{
int ret = ARCHIVE_OK;
@@ -1094,6 +1117,12 @@ int tar_handler(struct archive *r, struct archive *w, const char *src_base, cons
ret = ARCHIVE_FAILED;
break;
}
+
+ if (check_archive_write_entry_filetype_unsupported(entry)) {
+ WARN("%s ignored", archive_entry_pathname(entry));
+ continue;
+ }
+
ret = archive_write_header(w, entry);
if (ret != ARCHIVE_OK) {
ERROR("Fail to write tar header: %s.\nlink:%s target:%s", archive_error_string(w),
--
2.25.1

34
0185-iSulad-restart-isuald-when-upgrade-active-isulad.patch Normal file
View File

@ -0,0 +1,34 @@
From 5e125dd63c18e434c684939147717a3a6440b471 Mon Sep 17 00:00:00 2001
From: yangjiaqi <yangjiaqi16@huawei.com>
Date: Thu, 28 Dec 2023 16:02:32 +0800
Subject: [PATCH 185/198] iSulad: restart isuald when upgrade active isulad
Signed-off-by: yangjiaqi <yangjiaqi16@huawei.com>
---
iSulad.spec | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/iSulad.spec b/iSulad.spec
index d3799784..68590a2c 100644
--- a/iSulad.spec
+++ b/iSulad.spec
@@ -167,6 +167,16 @@ if [ -e %{_unitdir}/lcrd.service.rpmsave ]; then
mv %{_unitdir}/lcrd.service.rpmsave %{_unitdir}/isulad.service
sed -i 's/lcrd/isulad/g' %{_unitdir}/isulad.service
fi
+# During the isulad upgrade process, the isulad service may still be running, but the service may be unavailable
+# due to configuration updates and other reasons.
+# it may fail if the X package is upgraded synchronously with isulad and depends on the isulad command,
+# For example syscontianer-tools and lxcfs-tools.
+# Therefore, after upgrading isulad, if the original status of isulad is running,
+# we need to restart isulad to ensure that the service is available during the upgrade process.
+systemctl status isulad | grep 'Active:' | grep 'running'
+if [ $? -eq 0 ]; then
+ systemctl restart isulad
+fi
%else
/sbin/service isulad status | grep 'Active:' | grep 'running'
if [ $? -eq 0 ]; then
--
2.25.1

418
0186-refactor-update-possible-changed-resources-for-oci-s.patch Normal file
View File

@ -0,0 +1,418 @@
From 8ba1adc1b19692eb65051adac069ea2a14a62f3d Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Tue, 17 Oct 2023 15:52:11 +0800
Subject: [PATCH 186/198] [refactor] update possible changed resources for oci
spec
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
src/cmd/isulad/main.c | 5 +
src/daemon/modules/api/specs_api.h | 4 +
.../modules/service/service_container.c | 68 ++++++++--
src/daemon/modules/spec/specs.c | 38 +++++-
src/daemon/modules/spec/specs_mount.c | 120 ++++++++++++++++--
src/daemon/modules/spec/specs_mount.h | 6 +-
.../image/oci/oci_config_merge/CMakeLists.txt | 4 +
7 files changed, 221 insertions(+), 24 deletions(-)
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index 05e899f6..1bcef43f 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -1372,6 +1372,11 @@ static int isulad_server_init_common()
goto out;
}
+ if (spec_module_init() != 0) {
+ ERROR("Failed to init spec module");
+ goto out;
+ }
+
if (containers_store_init()) {
ERROR("Failed to init containers store");
goto out;
diff --git a/src/daemon/modules/api/specs_api.h b/src/daemon/modules/api/specs_api.h
index 0a594d81..f48f0bda 100644
--- a/src/daemon/modules/api/specs_api.h
+++ b/src/daemon/modules/api/specs_api.h
@@ -40,6 +40,10 @@ int parse_security_opt(const host_config *host_spec, bool *no_new_privileges, ch
int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec,
const container_config_v2_common_config_network_settings *network_settings);
+const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container);
+
+int spec_module_init(void);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 58b27f90..a5c12862 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -13,19 +13,11 @@
* Description: provide container supervisor functions
******************************************************************************/
#define _GNU_SOURCE
-#include <sys/stat.h>
#include <unistd.h>
#include <sys/mount.h>
#include <sys/eventfd.h>
#include <errno.h>
#include <fcntl.h>
-#include <isula_libutils/container_config.h>
-#include <isula_libutils/container_config_v2.h>
-#include <isula_libutils/container_exec_request.h>
-#include <isula_libutils/container_exec_response.h>
-#include <isula_libutils/defs.h>
-#include <isula_libutils/host_config.h>
-#include <isula_libutils/oci_runtime_spec.h>
#include <limits.h>
#include <pthread.h>
#include <signal.h>
@@ -35,15 +27,28 @@
#include <stdlib.h>
#include <string.h>
#include <strings.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <sys/eventfd.h>
+#include <sys/epoll.h>
+
+#include <isula_libutils/container_config.h>
+#include <isula_libutils/container_config_v2.h>
+#include <isula_libutils/container_exec_request.h>
+#include <isula_libutils/container_exec_response.h>
+#include <isula_libutils/defs.h>
+#include <isula_libutils/host_config.h>
+#include <isula_libutils/oci_runtime_spec.h>
+#include <isula_libutils/log.h>
#include "service_container_api.h"
-#include "isula_libutils/log.h"
#include "utils.h"
#include "err_msg.h"
#include "events_sender_api.h"
#include "image_api.h"
#include "specs_api.h"
#include "specs_mount.h"
+#include "specs_extend.h"
#include "isulad_config.h"
#include "verify.h"
#include "plugin_api.h"
@@ -678,6 +683,43 @@ out:
epoll_loop_close(&descr);
}
+static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, host_config *hostconfig)
+{
+ char *cgroup_parent = NULL;
+ int ret;
+
+ // If isulad daemon cgroup parent updated, we should update this config into oci spec
+ cgroup_parent = merge_container_cgroups_path(id, hostconfig);
+ if (cgroup_parent == NULL) {
+ return -1;
+ }
+ if (oci_spec->linux->cgroups_path != NULL && strcmp(oci_spec->linux->cgroups_path, cgroup_parent) != 0) {
+ free(oci_spec->linux->cgroups_path);
+ oci_spec->linux->cgroups_path = cgroup_parent;
+ cgroup_parent = NULL;
+ }
+ free(cgroup_parent);
+
+ // For Linux.Resources, isula update will save changes into oci spec;
+ // so we just skip it;
+
+ // Remove old devices and update all devices
+ ret = update_devcies_for_oci_spec(oci_spec, hostconfig);
+ if (ret != 0) {
+ ERROR("Failed to do update devices for oci spec");
+ return -1;
+ }
+
+ // If isulad daemon ulimit updated, we should update this config into oci spec.
+ if (merge_global_ulimit(oci_spec) != 0) {
+ return -1;
+ }
+
+ // renew_oci_config() will update process->user and share namespace after.
+
+ return 0;
+}
+
static int do_start_container(container_t *cont, const char *console_fifos[], bool reset_rm, pid_ppid_info_t *pid_info)
{
int ret = 0;
@@ -752,6 +794,14 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
goto close_exit_fd;
}
+ // Update possible changes
+ nret = do_oci_spec_update(id, oci_spec, cont->hostconfig);
+ if (nret != 0) {
+ ERROR("Failed to update possible changes for oci spec");
+ ret = -1;
+ goto close_exit_fd;
+ }
+
nret = setup_ipc_dirs(cont->hostconfig, cont->common_config);
if (nret != 0) {
ERROR("Failed to setup ipc dirs");
diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
index 0c7d58b3..316e9c92 100644
--- a/src/daemon/modules/spec/specs.c
+++ b/src/daemon/modules/spec/specs.c
@@ -17,6 +17,8 @@
#include <stdio.h>
#include <stdbool.h>
#include <errno.h>
+#include <limits.h>
+#include <stdint.h>
#include <isula_libutils/container_config.h>
#include <isula_libutils/container_config_v2.h>
#include <isula_libutils/defs.h>
@@ -76,6 +78,13 @@
#define CLONE_NEWCGROUP 0x02000000
#endif
+struct readonly_default_oci_spec {
+ oci_runtime_spec *cont;
+ oci_runtime_spec *system_cont;
+};
+
+static struct readonly_default_oci_spec g_rdspec;
+
static int make_sure_oci_spec_annotations(oci_runtime_spec *oci_spec)
{
if (oci_spec->annotations == NULL) {
@@ -1714,7 +1723,12 @@ static int merge_resources_conf(oci_runtime_spec *oci_spec, host_config *host_sp
goto out;
}
- ret = merge_conf_device(oci_spec, host_spec);
+ ret = merge_conf_blkio_device(oci_spec, host_spec);
+ if (ret != 0) {
+ goto out;
+ }
+
+ ret = merge_conf_devices(oci_spec, host_spec);
if (ret != 0) {
goto out;
}
@@ -2328,3 +2342,25 @@ out_free:
free(json_container);
return ret;
}
+
+const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container)
+{
+ if (system_container) {
+ return g_rdspec.system_cont;
+ }
+
+ return g_rdspec.cont;
+}
+
+int spec_module_init(void)
+{
+ g_rdspec.cont = default_spec(false);
+ if (g_rdspec.cont == NULL) {
+ return -1;
+ }
+ g_rdspec.system_cont = default_spec(true);
+ if (g_rdspec.system_cont == NULL) {
+ return -1;
+ }
+ return 0;
+}
\ No newline at end of file
diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c
index cd3a5c9d..8bff6cda 100644
--- a/src/daemon/modules/spec/specs_mount.c
+++ b/src/daemon/modules/spec/specs_mount.c
@@ -53,6 +53,7 @@
#include "image_api.h"
#include "volume_api.h"
#include "parse_volume.h"
+#include "specs_api.h"
enum update_rw {
update_rw_untouch,
@@ -2212,7 +2213,24 @@ out:
return ret;
}
-int merge_conf_device(oci_runtime_spec *oci_spec, host_config *host_spec)
+int merge_conf_devices(oci_runtime_spec *oci_spec, host_config *host_spec)
+{
+ /* devices which will be populated into container */
+ if (merge_conf_populate_device(oci_spec, host_spec)) {
+ ERROR("Merge user define devices failed");
+ return -1;
+ }
+
+ /* device cgroup rules which will be added into container */
+ if (merge_conf_device_cgroup_rule(oci_spec, host_spec)) {
+ ERROR("Merge user define device cgroup rules failed");
+ return -1;
+ }
+
+ return 0;
+}
+
+int merge_conf_blkio_device(oci_runtime_spec *oci_spec, host_config *host_spec)
{
int ret = 0;
@@ -2270,18 +2288,6 @@ int merge_conf_device(oci_runtime_spec *oci_spec, host_config *host_spec)
}
}
- /* devices which will be populated into container */
- if (merge_conf_populate_device(oci_spec, host_spec)) {
- ret = -1;
- goto out;
- }
-
- /* device cgroup rules which will be added into container */
- if (merge_conf_device_cgroup_rule(oci_spec, host_spec)) {
- ret = -1;
- goto out;
- }
-
out:
return ret;
}
@@ -3488,3 +3494,91 @@ out:
free(mntparent);
return ret;
}
+
+int update_devcies_for_oci_spec(oci_runtime_spec *oci_spec, host_config *hostconfig)
+{
+ const oci_runtime_spec *readonly_spec = NULL;
+ size_t i;
+ int ret;
+
+ // Step1: get default oci spec config
+ readonly_spec = get_readonly_default_oci_spec(hostconfig->system_container);
+
+ // Step2: clear oci_spec devices items
+ for (i = 0; i < oci_spec->linux->devices_len; i++) {
+ free_defs_device(oci_spec->linux->devices[i]);
+ oci_spec->linux->devices[i] = NULL;
+ }
+ // Step3: if default devices length more than old spec, just realloc memory
+ if (readonly_spec->linux->devices_len > oci_spec->linux->devices_len) {
+ free(oci_spec->linux->devices);
+ oci_spec->linux->devices = util_smart_calloc_s(sizeof(defs_device *), readonly_spec->linux->devices_len);
+ if (oci_spec->linux->devices == NULL) {
+ oci_spec->linux->devices_len = 0;
+ ERROR("Out of memory");
+ return -1;
+ }
+ }
+ oci_spec->linux->devices_len = 0;
+ // Step4: copy default devices to oci spec
+ for (i = 0; i < readonly_spec->linux->devices_len; i++) {
+ defs_device *tmp_dev = util_common_calloc_s(sizeof(defs_device));
+ if (tmp_dev == NULL) {
+ ERROR("Out of memory");
+ return -1;
+ }
+ tmp_dev->type = util_strdup_s(readonly_spec->linux->devices[i]->type);
+ tmp_dev->path = util_strdup_s(readonly_spec->linux->devices[i]->path);
+ tmp_dev->file_mode = readonly_spec->linux->devices[i]->file_mode;
+ tmp_dev->major = readonly_spec->linux->devices[i]->major;
+ tmp_dev->minor = readonly_spec->linux->devices[i]->minor;
+ tmp_dev->uid = readonly_spec->linux->devices[i]->uid;
+ tmp_dev->gid = readonly_spec->linux->devices[i]->gid;
+ oci_spec->linux->devices[i] = tmp_dev;
+ oci_spec->linux->devices_len += 1;
+ }
+
+ // Step5: clear oci_spec device cgroup rules
+ for (i = 0; i < oci_spec->linux->resources->devices_len; i++) {
+ free_defs_device_cgroup(oci_spec->linux->resources->devices[i]);
+ oci_spec->linux->resources->devices[i] = NULL;
+ }
+ // Step6: if default devices lenght more than old spec, just realloc memory
+ if (readonly_spec->linux->resources->devices_len > oci_spec->linux->resources->devices_len) {
+ free(oci_spec->linux->resources->devices);
+ oci_spec->linux->resources->devices = util_smart_calloc_s(sizeof(defs_device_cgroup *),
+ readonly_spec->linux->resources->devices_len);
+ if (oci_spec->linux->resources->devices == NULL) {
+ oci_spec->linux->resources->devices_len = 0;
+ ERROR("Out of memory");
+ return -1;
+ }
+ }
+ oci_spec->linux->resources->devices_len = 0;
+ // Step7: copy default device cgroup rules to oci spec
+ for (i = 0; i < readonly_spec->linux->resources->devices_len; i++) {
+ defs_device_cgroup *tmp_dev_cg = util_common_calloc_s(sizeof(defs_device_cgroup));
+ if (tmp_dev_cg == NULL) {
+ ERROR("Out of memory");
+ return -1;
+ }
+ tmp_dev_cg->allow = readonly_spec->linux->resources->devices[i]->allow;
+ tmp_dev_cg->major = readonly_spec->linux->resources->devices[i]->major;
+ tmp_dev_cg->minor = readonly_spec->linux->resources->devices[i]->minor;
+ tmp_dev_cg->type = util_strdup_s(readonly_spec->linux->resources->devices[i]->type);
+ tmp_dev_cg->access = util_strdup_s(readonly_spec->linux->resources->devices[i]->access);
+ oci_spec->linux->resources->devices[i] = tmp_dev_cg;
+ oci_spec->linux->resources->devices_len += 1;
+ }
+
+ // Step8: do update devices and cgroup device rules at here
+ if (hostconfig->privileged) {
+ // Step8.1: for priviledged container, we should merge all devices under /dev
+ ret = merge_all_devices_and_all_permission(oci_spec);
+ } else {
+ // Step8.2: for common container, we should merge devices defined by user in hostconfig
+ ret = merge_conf_devices(oci_spec, hostconfig);
+ }
+
+ return ret;
+}
\ No newline at end of file
diff --git a/src/daemon/modules/spec/specs_mount.h b/src/daemon/modules/spec/specs_mount.h
index 8a28f0e2..b742ca35 100644
--- a/src/daemon/modules/spec/specs_mount.h
+++ b/src/daemon/modules/spec/specs_mount.h
@@ -41,10 +41,14 @@ int set_mounts_readwrite_option(const oci_runtime_spec *oci_spec);
int merge_all_devices_and_all_permission(oci_runtime_spec *oci_spec);
-int merge_conf_device(oci_runtime_spec *oci_spec, host_config *host_spec);
+int merge_conf_devices(oci_runtime_spec *oci_spec, host_config *host_spec);
+
+int merge_conf_blkio_device(oci_runtime_spec *oci_spec, host_config *host_spec);
int setup_ipc_dirs(host_config *host_spec, container_config_v2_common_config *v2_spec);
+int update_devcies_for_oci_spec(oci_runtime_spec *oci_spec, host_config *hostconfig);
+
#ifdef __cplusplus
}
#endif
diff --git a/test/image/oci/oci_config_merge/CMakeLists.txt b/test/image/oci/oci_config_merge/CMakeLists.txt
index 42cd2e78..d76de35d 100644
--- a/test/image/oci/oci_config_merge/CMakeLists.txt
+++ b/test/image/oci/oci_config_merge/CMakeLists.txt
@@ -31,7 +31,11 @@ add_executable(${EXE}
${CMAKE_CURRENT_SOURCE_DIR}/../../../../test/mocks/namespace_mock.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../../test/mocks/container_unix_mock.cc
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/parse_volume.c
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/specs.c
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/parse_volume.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/specs_mount.c
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/specs_extend.c
+ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/specs_security.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/volume/volume.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/volume/local.c
${CMAKE_CURRENT_SOURCE_DIR}/../../../../test/mocks/selinux_label_mock.cc
--
2.25.1

119
0187-add-CI-testcase-for-update-oci-spec-in-start-op.patch Normal file
View File

@ -0,0 +1,119 @@
From 005ef1dfc270fdaf4be4d7f9cdf5251daf66c663 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Sat, 28 Oct 2023 10:57:13 +0800
Subject: [PATCH 187/198] add CI testcase for update oci spec in start op
Signed-off-by: haozi007 <liuhao27@huawei.com>
---
.../container_cases/dev_cgroup_rule.sh | 50 ++++++++++++++++++-
CI/test_cases/container_cases/ulimit.sh | 13 +++++
2 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/CI/test_cases/container_cases/dev_cgroup_rule.sh b/CI/test_cases/container_cases/dev_cgroup_rule.sh
index 651433c0..839a546c 100755
--- a/CI/test_cases/container_cases/dev_cgroup_rule.sh
+++ b/CI/test_cases/container_cases/dev_cgroup_rule.sh
@@ -25,8 +25,10 @@ source ../helpers.sh
function test_cpu_dev_cgoup_rule_spec()
{
local ret=0
+ local runtime=$1
local image="busybox"
- local test="container device cgroup rule test => (${FUNCNAME[@]})"
+ local test="container device cgroup rule test with (${runtime}) => (${FUNCNAME[@]})"
+ local test_dev="/dev/testA"
msg_info "${test} starting..."
@@ -36,6 +38,47 @@ function test_cpu_dev_cgoup_rule_spec()
isula images | grep busybox
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - missing list image: ${image}" && ((ret++))
+ rm -f $test_dev
+ priv_cid=$(isula run -tid --privileged --runtime $runtime $image /bin/sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run priviledged container failed" && ((ret++))
+ priv_major_88_cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$priv_cid/config.json | grep "major\": 88" | wc -l)
+ priv_minor_88_cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$priv_cid/config.json | grep "minor\": 88" | wc -l)
+
+ mknod $test_dev c 88 88
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - mknod failed" && ((ret++))
+ isula restart -t 0 $priv_cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart priviledge container failed" && ((ret++))
+ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$priv_cid/config.json | grep "major\": 88" | wc -l)
+ [[ $? -ne 0 ]]&& [[ $cnt -le $priv_major_88_cnt ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device major failed" && ((ret++))
+ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$priv_cid/config.json | grep "minor\": 88" | wc -l)
+ [[ $? -ne 0 ]] && [[ $cnt -le $priv_minor_88_cnt ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++))
+ isula rm -f $priv_cid
+
+ cid=$(isula run -tid --device "$test_dev:$test_dev" --runtime $runtime $image /bin/sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run container failed" && ((ret++))
+ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "major\": 88" | wc -l)
+ [[ $? -ne 0 ]]&& [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device major failed" && ((ret++))
+ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "minor\": 88" | wc -l)
+ [[ $? -ne 0 ]] && [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++))
+ isula exec -it $cid sh -c "cat /sys/fs/cgroup/devices/devices.list" | grep "c 88:88 rwm"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to check c 88:88 rwm: ${image}" && ((ret++))
+ isula stop -t 0 $cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop container failed" && ((ret++))
+ rm -f $test_dev
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - rm device failed" && ((ret++))
+ mknod $test_dev c 99 99
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - mknod failed" && ((ret++))
+ isula start $cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start container failed" && ((ret++))
+ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "major\": 99" | wc -l)
+ [[ $? -ne 0 ]]&& [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device major failed" && ((ret++))
+ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "minor\": 99" | wc -l)
+ [[ $? -ne 0 ]] && [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++))
+ isula exec -it $cid sh -c "cat /sys/fs/cgroup/devices/devices.list" | grep "c 99:99 rwm"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to check c 99:99 rwm: ${image}" && ((ret++))
+ isula rm -f $cid
+ rm -f $test_dev
+
isula run -itd --device-cgroup-rule='b *:*' busybox 2>&1 | grep "Invalid value"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Invalid value" && ((ret++))
@@ -93,6 +136,9 @@ function test_cpu_dev_cgoup_rule_spec()
declare -i ans=0
-test_cpu_dev_cgoup_rule_spec || ((ans++))
+for element in ${RUNTIME_LIST[@]};
+do
+ test_cpu_dev_cgoup_rule_spec $element || ((ans++))
+done
show_result ${ans} "${curr_path}/${0}"
diff --git a/CI/test_cases/container_cases/ulimit.sh b/CI/test_cases/container_cases/ulimit.sh
index 29868041..f823dc1c 100755
--- a/CI/test_cases/container_cases/ulimit.sh
+++ b/CI/test_cases/container_cases/ulimit.sh
@@ -33,12 +33,25 @@ function test_ulimit()
local test="ulimit test with (${runtime})=> (${FUNCNAME[@]})"
msg_info "${test} starting..."
+ cid=$(isula run -tid --runtime $runtime $image /bin/sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check failed" && ((ret++))
+ cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "RLIMIT_"
+ [[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check rlimit failed" && ((ret++))
+
check_valgrind_log
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
start_isulad_with_valgrind --default-ulimit nproc=2048:4096 --default-ulimit nproc=2048:8192 --default-ulimit nofile=1024:4096
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+ # if default ulimit of isulad changed, isula start should do update ulimit of oci spec
+ isula restart -t 0 $cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart failed" && ((ret++))
+ cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "RLIMIT_"
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check rlimit failed after restart" && ((ret++))
+ isula rm -f $cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - rm container failed" && ((ret++))
+
isula run --ulimit nproc= $image --runtime $runtime /bin/sh > $ulimitlog 2>&1
cat $ulimitlog | grep "delimiter '=' can't be the first or the last character"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check failed" && ((ret++))
--
2.25.1

166
0188-update-annotations-and-add-ci-cases.patch Normal file
View File

@ -0,0 +1,166 @@
From b3373e04e420d448bb638407f9d36c5033f85f14 Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Sat, 20 Jan 2024 13:32:22 +0800
Subject: [PATCH 188/198] update annotations and add ci cases
Signed-off-by: jikai <jikai11@huawei.com>
---
.../container_cases/dev_cgroup_rule.sh | 24 ++++++++++++
src/daemon/modules/api/specs_api.h | 2 +
.../modules/service/service_container.c | 18 ++++++++-
src/daemon/modules/spec/specs.c | 38 +++++++++++++++++++
4 files changed, 80 insertions(+), 2 deletions(-)
diff --git a/CI/test_cases/container_cases/dev_cgroup_rule.sh b/CI/test_cases/container_cases/dev_cgroup_rule.sh
index 839a546c..5616d37a 100755
--- a/CI/test_cases/container_cases/dev_cgroup_rule.sh
+++ b/CI/test_cases/container_cases/dev_cgroup_rule.sh
@@ -29,6 +29,9 @@ function test_cpu_dev_cgoup_rule_spec()
local image="busybox"
local test="container device cgroup rule test with (${runtime}) => (${FUNCNAME[@]})"
local test_dev="/dev/testA"
+ local default_config="/etc/default/isulad/config.json"
+ local default_config_bak="/etc/default/isulad/config.json.bak"
+ local test_cgroup_parent="/testABC"
msg_info "${test} starting..."
@@ -54,6 +57,27 @@ function test_cpu_dev_cgoup_rule_spec()
[[ $? -ne 0 ]] && [[ $cnt -le $priv_minor_88_cnt ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++))
isula rm -f $priv_cid
+ def_cid=$(isula run -tid --runtime $runtime -m 10m $image /bin/sh)
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run container failed" && ((ret++))
+ cp $default_config $default_config_bak
+ sed -i '/"linux": {/a \ \t\t"devices": [\n\t\t{\n\t\t\t"type": "c",\n\t\t\t"path": "\/dev\/testABC",\n\t\t\t"major": 88,\n\t\t\t"minor": 88\n\t\t}\n\t\t],' $default_config
+ stop_isulad_without_valgrind
+ start_isulad_with_valgrind --cgroup-parent $test_cgroup_parent
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+ isula restart -t 0 $def_cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart container failed" && ((ret++))
+ cat /sys/fs/cgroup/memory/$test_cgroup_parent/$def_cid/memory.limit_in_bytes | grep ^10485760$
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - --cgroup-parent cannot work" && ((ret++))
+ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$def_cid/config.json | grep "major\": 88" | wc -l)
+ [[ $? -ne 0 ]]&& [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device major failed" && ((ret++))
+ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$def_cid/config.json | grep "minor\": 88" | wc -l)
+ [[ $? -ne 0 ]] && [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++))
+ isula rm -f $def_cid
+ cp $default_config_bak $default_config
+ stop_isulad_without_valgrind
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+
cid=$(isula run -tid --device "$test_dev:$test_dev" --runtime $runtime $image /bin/sh)
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run container failed" && ((ret++))
cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "major\": 88" | wc -l)
diff --git a/src/daemon/modules/api/specs_api.h b/src/daemon/modules/api/specs_api.h
index f48f0bda..1a5a6ecc 100644
--- a/src/daemon/modules/api/specs_api.h
+++ b/src/daemon/modules/api/specs_api.h
@@ -40,6 +40,8 @@ int parse_security_opt(const host_config *host_spec, bool *no_new_privileges, ch
int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec,
const container_config_v2_common_config_network_settings *network_settings);
+int update_spec_annotations(oci_runtime_spec *oci_spec, container_config *container_spec, host_config *host_spec);
+
const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container);
int spec_module_init(void);
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index a5c12862..99e94e81 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -683,11 +683,18 @@ out:
epoll_loop_close(&descr);
}
-static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, host_config *hostconfig)
+static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, container_config *container_spec, host_config *hostconfig)
{
char *cgroup_parent = NULL;
int ret;
+ // First renew annotations for oci spec, cgroup path, rootfs.mount, native.mask
+ // for iSulad daemon might get updated
+ ret = update_spec_annotations(oci_spec, container_spec, hostconfig);
+ if (ret < 0) {
+ return -1;
+ }
+
// If isulad daemon cgroup parent updated, we should update this config into oci spec
cgroup_parent = merge_container_cgroups_path(id, hostconfig);
if (cgroup_parent == NULL) {
@@ -795,13 +802,20 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
}
// Update possible changes
- nret = do_oci_spec_update(id, oci_spec, cont->hostconfig);
+ nret = do_oci_spec_update(id, oci_spec, cont->common_config->config, cont->hostconfig);
if (nret != 0) {
ERROR("Failed to update possible changes for oci spec");
ret = -1;
goto close_exit_fd;
}
+ nret = container_to_disk(cont);
+ if (nret != 0) {
+ ERROR("Failed to save container info to disk");
+ ret = -1;
+ goto close_exit_fd;
+ }
+
nret = setup_ipc_dirs(cont->hostconfig, cont->common_config);
if (nret != 0) {
ERROR("Failed to setup ipc dirs");
diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
index 316e9c92..8a112496 100644
--- a/src/daemon/modules/spec/specs.c
+++ b/src/daemon/modules/spec/specs.c
@@ -386,6 +386,44 @@ out:
return ret;
}
+int update_spec_annotations(oci_runtime_spec *oci_spec, container_config *container_spec, host_config *host_spec)
+{
+ int ret = 0;
+ if (oci_spec == NULL || container_spec == NULL || host_spec == NULL) {
+ return -1;
+ }
+
+ ret = make_sure_container_spec_annotations(container_spec);
+ if (ret < 0) {
+ return -1;
+ }
+
+ ret = make_annotations_cgroup_dir(container_spec, host_spec);
+ if (ret != 0) {
+ return -1;
+ }
+
+ /* add rootfs.mount */
+ ret = add_rootfs_mount(container_spec);
+ if (ret != 0) {
+ ERROR("Failed to add rootfs mount");
+ return -1;
+ }
+
+ /* add native.umask */
+ ret = add_native_umask(container_spec);
+ if (ret != 0) {
+ ERROR("Failed to add native umask");
+ return -1;
+ }
+
+ if (merge_annotations(oci_spec, container_spec)) {
+ return -1;
+ }
+
+ return 0;
+}
+
/* default_spec returns default oci spec used by isulad. */
oci_runtime_spec *default_spec(bool system_container)
{
--
2.25.1

55
0189-do-not-update-rootfs-mnt-and-umask-annotations.patch Normal file
View File

@ -0,0 +1,55 @@
From bd64c224c588a4aea6ff8f28ffa3285d7dcf296b Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Mon, 22 Jan 2024 20:19:29 +0800
Subject: [PATCH 189/198] do not update rootfs mnt and umask annotations
Signed-off-by: jikai <jikai11@huawei.com>
---
src/daemon/modules/service/service_container.c | 4 ++--
src/daemon/modules/spec/specs.c | 15 ++-------------
2 files changed, 4 insertions(+), 15 deletions(-)
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 99e94e81..d2802db0 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -688,8 +688,8 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai
char *cgroup_parent = NULL;
int ret;
- // First renew annotations for oci spec, cgroup path, rootfs.mount, native.mask
- // for iSulad daemon might get updated
+ // Renew annotations for oci spec, cgroup path only,
+ // since lxc uses the "cgroup.dir" in oci annotations to create cgroup
ret = update_spec_annotations(oci_spec, container_spec, hostconfig);
if (ret < 0) {
return -1;
diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
index 8a112496..781282f5 100644
--- a/src/daemon/modules/spec/specs.c
+++ b/src/daemon/modules/spec/specs.c
@@ -403,19 +403,8 @@ int update_spec_annotations(oci_runtime_spec *oci_spec, container_config *contai
return -1;
}
- /* add rootfs.mount */
- ret = add_rootfs_mount(container_spec);
- if (ret != 0) {
- ERROR("Failed to add rootfs mount");
- return -1;
- }
-
- /* add native.umask */
- ret = add_native_umask(container_spec);
- if (ret != 0) {
- ERROR("Failed to add native umask");
- return -1;
- }
+ // other annotations will either not be updated after containers created
+ // or for rootfs mnt and umask, we do not support the update operation
if (merge_annotations(oci_spec, container_spec)) {
return -1;
--
2.25.1

49
0190-update-rootfs.mnt-in-container-spec-for-system-conta.patch Normal file
View File

@ -0,0 +1,49 @@
From 8d760da7f5f58c8caa0e8546f33f02dfcd473185 Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Tue, 23 Jan 2024 14:25:17 +0800
Subject: [PATCH 190/198] update rootfs.mnt in container spec for system
container
Signed-off-by: jikai <jikai11@huawei.com>
---
src/daemon/executor/container_cb/execution_create.c | 7 +++++--
src/daemon/modules/service/service_container.c | 1 +
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c
index d5e54aaf..a0b3fd9e 100644
--- a/src/daemon/executor/container_cb/execution_create.c
+++ b/src/daemon/executor/container_cb/execution_create.c
@@ -564,12 +564,15 @@ static int merge_config_for_syscontainer(const container_create_request *request
value = request->rootfs;
}
- if (append_json_map_string_string(oci_spec->annotations, "rootfs.mount", value)) {
+ // should also update to container spec
+ if (append_json_map_string_string(container_spec->annotations, "rootfs.mount", value)
+ || append_json_map_string_string(oci_spec->annotations, "rootfs.mount", value)) {
ERROR("Realloc annotations failed");
ret = -1;
goto out;
}
- if (request->rootfs != NULL && append_json_map_string_string(oci_spec->annotations, "external.rootfs", "true")) {
+ if (request->rootfs != NULL && (append_json_map_string_string(container_spec->annotations, "external.rootfs", "true")
+ || append_json_map_string_string(oci_spec->annotations, "external.rootfs", "true"))) {
ERROR("Realloc annotations failed");
ret = -1;
goto out;
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index d2802db0..534a0a1d 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -690,6 +690,7 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai
// Renew annotations for oci spec, cgroup path only,
// since lxc uses the "cgroup.dir" in oci annotations to create cgroup
+ // should ensure that container spec has the same annotations as oci spec
ret = update_spec_annotations(oci_spec, container_spec, hostconfig);
if (ret < 0) {
return -1;
--
2.25.1

123
0191-bugfix-for-mount-point-remains-under-special-circums.patch Normal file
View File

@ -0,0 +1,123 @@
From a733a9ef962aa003f5475d9494c853f900a66ed3 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Thu, 25 Jan 2024 11:24:59 +0800
Subject: [PATCH 191/198] bugfix for mount point remains under special
circumstances
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/cmd/isulad/main.c | 14 +++++++-------
.../modules/container/leftover_cleanup/cleanup.c | 14 +++++++-------
src/utils/tar/util_archive.c | 14 +++++++-------
3 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index 1bcef43f..defc347c 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -1277,23 +1277,23 @@ static int do_ensure_isulad_tmpdir_security(const char *isulad_tmp_dir)
char tmp_dir[PATH_MAX] = { 0 };
char cleanpath[PATH_MAX] = { 0 };
- nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmp_dir);
- if (nret < 0 || (size_t)nret >= PATH_MAX) {
- ERROR("Failed to snprintf");
+ if (realpath(isulad_tmp_dir, cleanpath) == NULL) {
+ ERROR("Failed to get real path for %s", tmp_dir);
return -1;
}
- if (util_clean_path(tmp_dir, cleanpath, sizeof(cleanpath)) == NULL) {
- ERROR("Failed to clean path for %s", tmp_dir);
+ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", cleanpath);
+ if (nret < 0 || (size_t)nret >= PATH_MAX) {
+ ERROR("Failed to snprintf");
return -1;
}
- if (isulad_tmpdir_security_check(cleanpath) == 0) {
+ if (isulad_tmpdir_security_check(tmp_dir) == 0) {
return 0;
}
INFO("iSulad tmpdir: %s does not meet security requirements, recreate it", isulad_tmp_dir);
- return recreate_tmpdir(cleanpath);
+ return recreate_tmpdir(tmp_dir);
}
static int ensure_isulad_tmpdir_security()
diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c
index af5f0eee..93571925 100644
--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c
+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c
@@ -175,22 +175,22 @@ static void cleanup_path(char *dir)
char tmp_dir[PATH_MAX] = { 0 };
char cleanpath[PATH_MAX] = { 0 };
- nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", dir);
- if (nret < 0 || (size_t)nret >= PATH_MAX) {
- ERROR("Failed to snprintf");
+ if (realpath(dir, cleanpath) == NULL) {
+ ERROR("get real path for %s failed", tmp_dir);
return;
}
- if (util_clean_path(tmp_dir, cleanpath, sizeof(cleanpath)) == NULL) {
- ERROR("clean path for %s failed", tmp_dir);
+ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", cleanpath);
+ if (nret < 0 || (size_t)nret >= PATH_MAX) {
+ ERROR("Failed to snprintf");
return;
}
- if (!util_dir_exists(cleanpath)) {
+ if (!util_dir_exists(tmp_dir)) {
return;
}
- nret = util_scan_subdirs(cleanpath, walk_isulad_tmpdir_cb, NULL);
+ nret = util_scan_subdirs(tmp_dir, walk_isulad_tmpdir_cb, NULL);
if (nret != 0) {
ERROR("failed to scan isulad tmp subdirs");
}
diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c
index 86947c0b..4db68f7c 100644
--- a/src/utils/tar/util_archive.c
+++ b/src/utils/tar/util_archive.c
@@ -215,18 +215,18 @@ static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, ch
isulad_tmpdir_env = DEFAULT_ISULAD_TMPDIR;
}
- nret = snprintf(isula_tmpdir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmpdir_env);
- if (nret < 0 || (size_t)nret >= PATH_MAX) {
- ERROR("Failed to snprintf");
+ if (realpath(isulad_tmpdir_env, cleanpath) == NULL) {
+ ERROR("Failed to get real path for %s", isula_tmpdir);
return -1;
}
- if (util_clean_path(isula_tmpdir, cleanpath, sizeof(cleanpath)) == NULL) {
- ERROR("clean path for %s failed", isula_tmpdir);
+ nret = snprintf(isula_tmpdir, PATH_MAX, "%s/isulad_tmpdir", cleanpath);
+ if (nret < 0 || (size_t)nret >= PATH_MAX) {
+ ERROR("Failed to snprintf");
return -1;
}
- nret = snprintf(tmp_dir, PATH_MAX, "%s/tar-chroot-XXXXXX", cleanpath);
+ nret = snprintf(tmp_dir, PATH_MAX, "%s/tar-chroot-XXXXXX", isula_tmpdir);
if (nret < 0 || (size_t)nret >= PATH_MAX) {
ERROR("Failed to snprintf string");
return -1;
@@ -244,7 +244,7 @@ static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, ch
}
// ensure parent dir is exist
- if (util_mkdir_p(cleanpath, ISULAD_TEMP_DIRECTORY_MODE) != 0) {
+ if (util_mkdir_p(isula_tmpdir, ISULAD_TEMP_DIRECTORY_MODE) != 0) {
return -1;
}
--
2.25.1

71
0192-do-not-cleanup-if-the-directory-does-not-exist.patch Normal file
View File

@ -0,0 +1,71 @@
From 622e99675869fb070dfe850715f062f4c9747e2f Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Fri, 26 Jan 2024 12:59:45 +0800
Subject: [PATCH 192/198] do not cleanup if the directory does not exist
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/cmd/isulad/main.c | 20 ++++++++++++++++++-
.../container/leftover_cleanup/cleanup.c | 13 +++++++++++-
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index defc347c..5fb702b6 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -1276,8 +1276,26 @@ static int do_ensure_isulad_tmpdir_security(const char *isulad_tmp_dir)
int nret;
char tmp_dir[PATH_MAX] = { 0 };
char cleanpath[PATH_MAX] = { 0 };
+ char isulad_tmp_cleanpath[PATH_MAX] = { 0 };
- if (realpath(isulad_tmp_dir, cleanpath) == NULL) {
+ if (util_clean_path(isulad_tmp_dir, isulad_tmp_cleanpath, sizeof(isulad_tmp_cleanpath)) == NULL) {
+ ERROR("Failed to clean path for %s", isulad_tmp_dir);
+ return -1;
+ }
+
+ // Determine whether isulad_tmp_dir exists. If it does not exist, create it
+ // to prevent realpath from reporting errors because the folder does not exist.
+ if (!util_dir_exists(isulad_tmp_cleanpath)) {
+ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmp_cleanpath);
+ if (nret < 0 || (size_t)nret >= PATH_MAX) {
+ ERROR("Failed to snprintf");
+ return -1;
+ }
+ INFO("iSulad tmpdir: %s does not exist, create it", isulad_tmp_dir);
+ return recreate_tmpdir(tmp_dir);
+ }
+
+ if (realpath(isulad_tmp_cleanpath, cleanpath) == NULL) {
ERROR("Failed to get real path for %s", tmp_dir);
return -1;
}
diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c
index 93571925..c23c901a 100644
--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c
+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c
@@ -174,8 +174,19 @@ static void cleanup_path(char *dir)
int nret;
char tmp_dir[PATH_MAX] = { 0 };
char cleanpath[PATH_MAX] = { 0 };
+ char dir_cleanpath[PATH_MAX] = { 0 };
- if (realpath(dir, cleanpath) == NULL) {
+ if (util_clean_path(dir, dir_cleanpath, sizeof(dir_cleanpath)) == NULL) {
+ ERROR("clean path for %s failed", dir);
+ return;
+ }
+
+ // If dir does not exist, skip cleanup
+ if (!util_dir_exists(dir_cleanpath)) {
+ return;
+ }
+
+ if (realpath(dir_cleanpath, cleanpath) == NULL) {
ERROR("get real path for %s failed", tmp_dir);
return;
}
--
2.25.1

151
0193-module-only-deletes-the-temporary-files-it-creates.patch Normal file
View File

@ -0,0 +1,151 @@
From b2e274466fdc3b8cffeba952844bcd2d62bece31 Mon Sep 17 00:00:00 2001
From: zhongtao <zhongtao17@huawei.com>
Date: Sat, 27 Jan 2024 11:16:37 +0800
Subject: [PATCH 193/198] module only deletes the temporary files it creates
Signed-off-by: zhongtao <zhongtao17@huawei.com>
---
src/cmd/isulad/main.c | 2 +-
src/common/constants.h | 2 +-
src/daemon/modules/image/oci/oci_image.c | 44 +++++++++++++++++--
src/daemon/modules/image/oci/oci_image.h | 4 ++
src/daemon/modules/image/oci/oci_load.c | 2 +-
.../modules/image/oci/registry/registry.c | 2 +-
6 files changed, 48 insertions(+), 8 deletions(-)
diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c
index 5fb702b6..58319ad0 100644
--- a/src/cmd/isulad/main.c
+++ b/src/cmd/isulad/main.c
@@ -1258,7 +1258,7 @@ static int isulad_tmpdir_security_check(const char *tmp_dir)
static int recreate_tmpdir(const char *tmp_dir)
{
- if (util_recursive_rmdir(tmp_dir, 0) != 0) {
+ if (util_path_remove(tmp_dir) != 0) {
ERROR("Failed to remove directory %s", tmp_dir);
return -1;
}
diff --git a/src/common/constants.h b/src/common/constants.h
index 9ea3def7..d6fe6e50 100644
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -50,7 +50,7 @@ extern "C" {
#define TEMP_DIRECTORY_MODE 0700
-#define ISULAD_TEMP_DIRECTORY_MODE 0600
+#define ISULAD_TEMP_DIRECTORY_MODE 0700
#define CONSOLE_FIFO_DIRECTORY_MODE 0770
diff --git a/src/daemon/modules/image/oci/oci_image.c b/src/daemon/modules/image/oci/oci_image.c
index f525f621..e3f28051 100644
--- a/src/daemon/modules/image/oci/oci_image.c
+++ b/src/daemon/modules/image/oci/oci_image.c
@@ -279,10 +279,42 @@ out:
return ret;
}
+// remove dir that image module created
+// return false when failed to rmdir
+// eg: oci-image-load-XXXXXX && registry-XXXXXX
+static bool remove_image_tmpdir_cb(const char *path_name, const struct dirent *sub_dir, void *context)
+{
+ int nret = 0;
+ char tmpdir[PATH_MAX] = { 0 };
+
+ if (sub_dir == NULL) {
+ return true;
+ }
+
+ if (!util_has_prefix(sub_dir->d_name, LOAD_TMPDIR_PREFIX) && !util_has_prefix(sub_dir->d_name, REGISTRY_TMPDIR_PREFIX)) {
+ // only remove directory that image module created
+ return true;
+ }
+
+ nret = snprintf(tmpdir, PATH_MAX, "%s/%s", path_name, sub_dir->d_name);
+ if (nret < 0 || (size_t)nret >= PATH_MAX) {
+ ERROR("Failed to snprintf for %s", sub_dir->d_name);
+ return false;
+ }
+
+ if (util_recursive_rmdir(tmpdir, 0) != 0) {
+ ERROR("Failed to remove path %s", tmpdir);
+ return false;
+ }
+
+ return true;
+}
+
static int recreate_image_tmpdir()
{
char *image_tmp_path = NULL;
int ret = 0;
+ int nret = 0;
image_tmp_path = oci_get_isulad_tmpdir(g_oci_image_module_data.root_dir);
if (image_tmp_path == NULL) {
@@ -291,10 +323,14 @@ static int recreate_image_tmpdir()
goto out;
}
- if (util_recursive_rmdir(image_tmp_path, 0)) {
- ERROR("failed to remove directory %s", image_tmp_path);
- ret = -1;
- goto out;
+ // If image_tmp_path exist, cleanup it
+ if (util_dir_exists(image_tmp_path)) {
+ nret = util_scan_subdirs(image_tmp_path, remove_image_tmpdir_cb, NULL);
+ if (nret != 0) {
+ ERROR("Failed to scan isulad tmp subdirs");
+ ret = -1;
+ goto out;
+ }
}
if (util_mkdir_p(image_tmp_path, TEMP_DIRECTORY_MODE)) {
diff --git a/src/daemon/modules/image/oci/oci_image.h b/src/daemon/modules/image/oci/oci_image.h
index 3f0a87b7..cb180e1c 100644
--- a/src/daemon/modules/image/oci/oci_image.h
+++ b/src/daemon/modules/image/oci/oci_image.h
@@ -38,6 +38,10 @@ struct oci_image_module_data {
char **insecure_registries;
size_t insecure_registries_len;
};
+
+#define LOAD_TMPDIR_PREFIX "oci-image-load-"
+#define REGISTRY_TMPDIR_PREFIX "registry-"
+
struct oci_image_module_data *get_oci_image_data(void);
int oci_init(const isulad_daemon_configs *args);
diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c
index 3fc8cfb8..efffa6f5 100644
--- a/src/daemon/modules/image/oci/oci_load.c
+++ b/src/daemon/modules/image/oci/oci_load.c
@@ -1044,7 +1044,7 @@ static char *oci_load_path_create()
goto out;
}
- nret = snprintf(tmp_dir, PATH_MAX, "%s/oci-image-load-XXXXXX", image_tmp_path);
+ nret = snprintf(tmp_dir, PATH_MAX, "%s/%sXXXXXX", image_tmp_path, LOAD_TMPDIR_PREFIX);
if (nret < 0 || (size_t)nret >= sizeof(tmp_dir)) {
ERROR("Path is too long");
ret = -1;
diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c
index d586d1c7..5265b5ab 100644
--- a/src/daemon/modules/image/oci/registry/registry.c
+++ b/src/daemon/modules/image/oci/registry/registry.c
@@ -1902,7 +1902,7 @@ static int prepare_pull_desc(pull_descriptor *desc, registry_pull_options *optio
goto out;
}
- sret = snprintf(blobpath, PATH_MAX, "%s/registry-XXXXXX", image_tmp_path);
+ sret = snprintf(blobpath, PATH_MAX, "%s/%sXXXXXX", image_tmp_path, REGISTRY_TMPDIR_PREFIX);
if (sret < 0 || (size_t)sret >= PATH_MAX) {
ERROR("image tmp work path too long");
ret = -1;
--
2.25.1

31
0194-ensure-default-spec-has-linux-resources.patch Normal file
View File

@ -0,0 +1,31 @@
From 011afc6bcad5638edd2efa15815503631ef7aa69 Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Sat, 27 Jan 2024 15:29:36 +0800
Subject: [PATCH 194/198] ensure default spec has linux resources
Signed-off-by: jikai <jikai11@huawei.com>
---
src/daemon/modules/spec/specs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
index 781282f5..dd6e413b 100644
--- a/src/daemon/modules/spec/specs.c
+++ b/src/daemon/modules/spec/specs.c
@@ -2382,11 +2382,11 @@ const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container)
int spec_module_init(void)
{
g_rdspec.cont = default_spec(false);
- if (g_rdspec.cont == NULL) {
+ if (g_rdspec.cont == NULL || make_sure_oci_spec_linux_resources(g_rdspec.cont) != 0) {
return -1;
}
g_rdspec.system_cont = default_spec(true);
- if (g_rdspec.system_cont == NULL) {
+ if (g_rdspec.system_cont == NULL || make_sure_oci_spec_linux_resources(g_rdspec.system_cont) != 0) {
return -1;
}
return 0;
--
2.25.1

152
0195-improve-dt-for-oci-device-update.patch Normal file
View File

@ -0,0 +1,152 @@
From baa75b2db9a020c0e0552c7236fbbf08ede07f20 Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Sat, 27 Jan 2024 15:30:05 +0800
Subject: [PATCH 195/198] improve dt for oci device update
Signed-off-by: jikai <jikai11@huawei.com>
---
.../container_cases/dev_cgroup_rule.sh | 2 +-
test/specs/specs/CMakeLists.txt | 1 +
test/specs/specs/specs_ut.cc | 90 +++++++++++++++++++
3 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/CI/test_cases/container_cases/dev_cgroup_rule.sh b/CI/test_cases/container_cases/dev_cgroup_rule.sh
index 5616d37a..f6a58d15 100755
--- a/CI/test_cases/container_cases/dev_cgroup_rule.sh
+++ b/CI/test_cases/container_cases/dev_cgroup_rule.sh
@@ -60,7 +60,7 @@ function test_cpu_dev_cgoup_rule_spec()
def_cid=$(isula run -tid --runtime $runtime -m 10m $image /bin/sh)
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run container failed" && ((ret++))
cp $default_config $default_config_bak
- sed -i '/"linux": {/a \ \t\t"devices": [\n\t\t{\n\t\t\t"type": "c",\n\t\t\t"path": "\/dev\/testABC",\n\t\t\t"major": 88,\n\t\t\t"minor": 88\n\t\t}\n\t\t],' $default_config
+ sed -i '/"linux": {/a \ \t\t"devices": [\n\t\t{\n\t\t\t"type": "c",\n\t\t\t"path": "\/dev\/testA",\n\t\t\t"major": 88,\n\t\t\t"minor": 88\n\t\t}\n\t\t],' $default_config
stop_isulad_without_valgrind
start_isulad_with_valgrind --cgroup-parent $test_cgroup_parent
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
diff --git a/test/specs/specs/CMakeLists.txt b/test/specs/specs/CMakeLists.txt
index c4b36c5f..22505a97 100644
--- a/test/specs/specs/CMakeLists.txt
+++ b/test/specs/specs/CMakeLists.txt
@@ -81,6 +81,7 @@ target_include_directories(${EXE} PUBLIC
${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks
)
+set_target_properties(${EXE} PROPERTIES LINK_FLAGS "-Wl,--wrap,util_common_calloc_s -Wl,--wrap,util_smart_calloc_s -Wl,--wrap,get_readonly_default_oci_spec")
target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${GMOCK_LIBRARY} ${GMOCK_MAIN_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} -lgrpc++ -lprotobuf -lcrypto -lyajl -lz)
add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml)
set_tests_properties(${EXE} PROPERTIES TIMEOUT 120)
diff --git a/test/specs/specs/specs_ut.cc b/test/specs/specs/specs_ut.cc
index a2bd3890..8fbaa337 100644
--- a/test/specs/specs/specs_ut.cc
+++ b/test/specs/specs/specs_ut.cc
@@ -19,6 +19,7 @@
#include "mock.h"
#include "isula_libutils/oci_runtime_spec.h"
#include "specs_api.h"
+#include "specs_mount.h"
#include "specs_namespace.h"
#include "isula_libutils/host_config.h"
#include "isula_libutils/container_config.h"
@@ -41,6 +42,46 @@ using ::testing::_;
using namespace std;
+static int g_malloc_count = 0;
+static int g_malloc_match = 1;
+
+extern "C" {
+ DECLARE_WRAPPER_V(util_common_calloc_s, void *, (size_t size));
+ DEFINE_WRAPPER_V(util_common_calloc_s, void *, (size_t size), (size));
+
+ DECLARE_WRAPPER_V(util_smart_calloc_s, void *, (size_t size, size_t len));
+ DEFINE_WRAPPER_V(util_smart_calloc_s, void *, (size_t size, size_t len), (size, len));
+
+ DECLARE_WRAPPER(get_readonly_default_oci_spec, const oci_runtime_spec *, (bool system_container));
+ DEFINE_WRAPPER(get_readonly_default_oci_spec, const oci_runtime_spec *, (bool system_container), (system_container));
+}
+
+void *util_common_calloc_s_fail(size_t size)
+{
+ g_malloc_count++;
+
+ if (g_malloc_count == g_malloc_match) {
+ g_malloc_match++;
+ g_malloc_count = 0;
+ return nullptr;
+ } else {
+ return __real_util_common_calloc_s(size);
+ }
+}
+
+void *util_smart_calloc_s_fail(size_t size, size_t len)
+{
+ g_malloc_count++;
+
+ if (g_malloc_count == g_malloc_match) {
+ g_malloc_match++;
+ g_malloc_count = 0;
+ return nullptr;
+ } else {
+ return __real_util_smart_calloc_s(size, len);
+ }
+}
+
class SpecsUnitTest : public testing::Test {
public:
void SetUp() override
@@ -324,3 +365,52 @@ TEST_F(SpecsUnitTest, test_merge_container_cgroups_path_5)
testing::Mock::VerifyAndClearExpectations(&m_isulad_conf);
}
+
+TEST_F(SpecsUnitTest, SpecsUnitTest_test_update_devcies_for_oci_spec)
+{
+ parser_error err = nullptr;
+ oci_runtime_spec *readonly_spec = oci_runtime_spec_parse_data("{\"ociVersion\": \"1.0.1\", \"linux\": \
+ { \"devices\": \
+ [ { \"type\": \"c\", \"path\": \"/dev/testA\", \
+ \"fileMode\": 8612, \"major\": 99, \"minor\": 99} ], \
+ \"resources\": { \"devices\": [ { \"allow\": false, \
+ \"type\": \"a\", \"major\": -1, \
+ \"minor\": -1, \"access\": \"rwm\" } ] } } }", nullptr, &err);
+ ASSERT_NE(readonly_spec, nullptr);
+ free(err);
+ err = nullptr;
+ host_config *hostspec = static_cast<host_config *>(util_common_calloc_s(sizeof(host_config)));
+ ASSERT_NE(hostspec, nullptr);
+
+ oci_runtime_spec *ocispec = oci_runtime_spec_parse_data("{\"ociVersion\": \"1.0.1\", \"linux\": \
+ { \"devices\": [ ], \
+ \"resources\": { \"devices\": [ ] } } }", nullptr, &err);
+ ASSERT_NE(ocispec, nullptr);
+
+ MOCK_SET(get_readonly_default_oci_spec, readonly_spec);
+ MOCK_SET_V(util_smart_calloc_s, util_smart_calloc_s_fail);
+ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail);
+
+ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), -1);
+ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), -1);
+ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), -1);
+ free(ocispec->linux->devices[0]);
+ free(ocispec->linux->devices);
+ ocispec->linux->devices = NULL;
+ ocispec->linux->devices_len = 0;
+ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), -1);
+ free(ocispec->linux->devices[0]);
+ free(ocispec->linux->devices);
+ ocispec->linux->devices = NULL;
+ ocispec->linux->devices_len = 0;
+ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), 0);
+
+ MOCK_CLEAR(get_readonly_default_oci_spec);
+ MOCK_CLEAR(util_smart_calloc_s);
+ MOCK_CLEAR(util_common_calloc_s);
+
+ free_oci_runtime_spec(readonly_spec);
+ free_oci_runtime_spec(ocispec);
+ free_host_config(hostspec);
+ free(err);
+}
--
2.25.1

26
0196-skip-devmapper-ut.patch Normal file
View File

@ -0,0 +1,26 @@
From 0112fee746125da97ec3aa7d532545ec93aa821b Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Tue, 30 Jan 2024 12:31:37 +0800
Subject: [PATCH 196/198] skip devmapper ut
Signed-off-by: jikai <jikai11@huawei.com>
---
CI/make-and-install.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CI/make-and-install.sh b/CI/make-and-install.sh
index 08cc4520..819f2752 100755
--- a/CI/make-and-install.sh
+++ b/CI/make-and-install.sh
@@ -75,7 +75,7 @@ mkdir build && cd build
cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_UT=ON -DENABLE_SHIM_V2=ON ..
make -j $(nproc)
make install
-ctest -T memcheck --output-on-failure
+ctest -E "driver_devmapper_ut" -T memcheck --output-on-failure
if [[ $? -ne 0 ]]; then
exit 1
fi
--
2.25.1

136
0197-bugfix-for-cont-restart-when-iSulad-drops-original-d.patch Normal file
View File

@ -0,0 +1,136 @@
From 0c19d0c481428fc91d832bd47846eff203005052 Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Tue, 30 Jan 2024 13:16:35 +0800
Subject: [PATCH 197/198] bugfix for cont restart when iSulad drops original
default-ulimit
Signed-off-by: jikai <jikai11@huawei.com>
---
src/daemon/modules/api/specs_api.h | 4 ++
.../modules/service/service_container.c | 14 ++----
src/daemon/modules/spec/specs.c | 46 +++++++++++++++++++
3 files changed, 54 insertions(+), 10 deletions(-)
diff --git a/src/daemon/modules/api/specs_api.h b/src/daemon/modules/api/specs_api.h
index 1a5a6ecc..458e3806 100644
--- a/src/daemon/modules/api/specs_api.h
+++ b/src/daemon/modules/api/specs_api.h
@@ -42,6 +42,10 @@ int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_sp
int update_spec_annotations(oci_runtime_spec *oci_spec, container_config *container_spec, host_config *host_spec);
+int update_oci_container_cgroups_path(const char *id, oci_runtime_spec *oci_spec, const host_config *host_spec);
+
+int update_oci_ulimit(oci_runtime_spec *oci_spec, const host_config *host_spec);
+
const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container);
int spec_module_init(void);
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 534a0a1d..bad2a9e1 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -685,7 +685,6 @@ out:
static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, container_config *container_spec, host_config *hostconfig)
{
- char *cgroup_parent = NULL;
int ret;
// Renew annotations for oci spec, cgroup path only,
@@ -697,16 +696,10 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai
}
// If isulad daemon cgroup parent updated, we should update this config into oci spec
- cgroup_parent = merge_container_cgroups_path(id, hostconfig);
- if (cgroup_parent == NULL) {
+ ret = update_oci_container_cgroups_path(id, oci_spec, hostconfig);
+ if (ret < 0) {
return -1;
}
- if (oci_spec->linux->cgroups_path != NULL && strcmp(oci_spec->linux->cgroups_path, cgroup_parent) != 0) {
- free(oci_spec->linux->cgroups_path);
- oci_spec->linux->cgroups_path = cgroup_parent;
- cgroup_parent = NULL;
- }
- free(cgroup_parent);
// For Linux.Resources, isula update will save changes into oci spec;
// so we just skip it;
@@ -719,7 +712,8 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai
}
// If isulad daemon ulimit updated, we should update this config into oci spec.
- if (merge_global_ulimit(oci_spec) != 0) {
+ ret = update_oci_ulimit(oci_spec, hostconfig);
+ if (ret < 0) {
return -1;
}
diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c
index dd6e413b..d2088a8e 100644
--- a/src/daemon/modules/spec/specs.c
+++ b/src/daemon/modules/spec/specs.c
@@ -2165,6 +2165,28 @@ char *merge_container_cgroups_path(const char *id, const host_config *host_spec)
return ret;
}
+int update_oci_container_cgroups_path(const char *id, oci_runtime_spec *oci_spec, const host_config *hostconfig)
+{
+ if (oci_spec == NULL || oci_spec->linux == NULL) {
+ ERROR("Invalid arguments");
+ return -1;
+ }
+
+ char *cgroup_parent = merge_container_cgroups_path(id, hostconfig);
+ if (cgroup_parent == NULL) {
+ return -1;
+ }
+
+ if (oci_spec->linux->cgroups_path != NULL && strcmp(oci_spec->linux->cgroups_path, cgroup_parent) != 0) {
+ free(oci_spec->linux->cgroups_path);
+ oci_spec->linux->cgroups_path = cgroup_parent;
+ cgroup_parent = NULL;
+ }
+ free(cgroup_parent);
+
+ return 0;
+}
+
static int merge_oci_cgroups_path(const char *id, oci_runtime_spec *oci_spec, const host_config *host_spec)
{
if (id == NULL || oci_spec == NULL || host_spec == NULL) {
@@ -2309,6 +2331,30 @@ out:
return ret;
}
+int update_oci_ulimit(oci_runtime_spec *oci_spec, const host_config *hostconfig) {
+ if (oci_spec == NULL || hostconfig == NULL) {
+ ERROR("Invalid arguments");
+ return -1;
+ }
+
+ size_t i = 0;
+ if (oci_spec->process != NULL) {
+ for (i = 0; i < oci_spec->process->rlimits_len; i++) {
+ free_defs_process_rlimits_element(oci_spec->process->rlimits[i]);
+ oci_spec->process->rlimits[i] = NULL;
+ }
+ free(oci_spec->process->rlimits);
+ oci_spec->process->rlimits = NULL;
+ oci_spec->process->rlimits_len = 0;
+ }
+
+ if (merge_conf_ulimits(oci_spec, hostconfig) != 0 || merge_global_ulimit(oci_spec) != 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
/* read oci config */
oci_runtime_spec *load_oci_config(const char *rootpath, const char *name)
{
--
2.25.1

145
0198-improve-dt-for-default-ulimit-change.patch Normal file
View File

@ -0,0 +1,145 @@
From 507e8dee9c6467325d46faef6dc76900733ea85b Mon Sep 17 00:00:00 2001
From: jikai <jikai11@huawei.com>
Date: Tue, 30 Jan 2024 13:21:14 +0800
Subject: [PATCH 198/198] improve dt for default ulimit change
Signed-off-by: jikai <jikai11@huawei.com>
---
CI/test_cases/container_cases/ulimit.sh | 19 ++++++
test/specs/specs/specs_ut.cc | 80 ++++++++++++++++++++++++-
2 files changed, 98 insertions(+), 1 deletion(-)
diff --git a/CI/test_cases/container_cases/ulimit.sh b/CI/test_cases/container_cases/ulimit.sh
index f823dc1c..41cdcece 100755
--- a/CI/test_cases/container_cases/ulimit.sh
+++ b/CI/test_cases/container_cases/ulimit.sh
@@ -49,9 +49,28 @@ function test_ulimit()
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart failed" && ((ret++))
cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "RLIMIT_"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check rlimit failed after restart" && ((ret++))
+
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+
+ start_isulad_with_valgrind
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+
+ # if default ulimit of isulad changed, isula start should do update ulimit of oci spec
+ isula restart -t 0 $cid
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart failed" && ((ret++))
+ cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "RLIMIT_"
+ [[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check rlimit failed after restart" && ((ret++))
+
isula rm -f $cid
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - rm container failed" && ((ret++))
+ check_valgrind_log
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++))
+
+ start_isulad_with_valgrind --default-ulimit nproc=2048:4096 --default-ulimit nproc=2048:8192 --default-ulimit nofile=1024:4096
+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++))
+
isula run --ulimit nproc= $image --runtime $runtime /bin/sh > $ulimitlog 2>&1
cat $ulimitlog | grep "delimiter '=' can't be the first or the last character"
[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check failed" && ((ret++))
diff --git a/test/specs/specs/specs_ut.cc b/test/specs/specs/specs_ut.cc
index 8fbaa337..d5105f43 100644
--- a/test/specs/specs/specs_ut.cc
+++ b/test/specs/specs/specs_ut.cc
@@ -273,6 +273,32 @@ char *invoke_conf_get_isulad_cgroup_parent()
return util_strdup_s("/var/lib/isulad/engines/lcr");
}
+int invoke_conf_get_isulad_default_ulimit_empty(host_config_ulimits_element ***ulimit)
+{
+ if (ulimit == nullptr) {
+ return -1;
+ }
+ return 0;
+}
+
+int invoke_conf_get_isulad_default_ulimit(host_config_ulimits_element ***ulimit)
+{
+ if (ulimit == nullptr) {
+ return -1;
+ }
+ host_config_ulimits_element *ele = static_cast<host_config_ulimits_element*>(util_common_calloc_s(sizeof(host_config_ulimits_element)));
+ if (ele == nullptr) {
+ return -1;
+ }
+ ele->hard = 8192;
+ ele->soft = 2048;
+ ele->name = util_strdup_s("NPROC");
+
+ int ret = ulimit_array_append(ulimit, ele, ulimit_array_len(*ulimit));
+ free_host_config_ulimits_element(ele);
+ return ret;
+}
+
TEST_F(SpecsUnitTest, test_merge_container_cgroups_path_1)
{
ASSERT_EQ(merge_container_cgroups_path(nullptr, nullptr), nullptr);
@@ -366,7 +392,59 @@ TEST_F(SpecsUnitTest, test_merge_container_cgroups_path_5)
testing::Mock::VerifyAndClearExpectations(&m_isulad_conf);
}
-TEST_F(SpecsUnitTest, SpecsUnitTest_test_update_devcies_for_oci_spec)
+TEST_F(SpecsUnitTest, test_update_oci_container_cgroups_path)
+{
+ parser_error err = nullptr;
+ host_config *hostspec = static_cast<host_config *>(util_common_calloc_s(sizeof(host_config)));
+ ASSERT_NE(hostspec, nullptr);
+
+ oci_runtime_spec *ocispec = oci_runtime_spec_parse_data("{\"ociVersion\": \"1.0.1\", \"linux\": \
+ {} }", nullptr, &err);
+ ASSERT_NE(ocispec, nullptr);
+
+ ocispec->linux->cgroups_path = util_strdup_s("/isulad");
+ ASSERT_EQ(update_oci_container_cgroups_path("abcdef", nullptr, nullptr), -1);
+ EXPECT_CALL(m_isulad_conf, GetCgroupParent()).WillRepeatedly(Invoke(invoke_conf_get_isulad_cgroup_parent));
+ ASSERT_EQ(update_oci_container_cgroups_path("abcdef", ocispec, hostspec), 0);
+ ASSERT_STREQ(ocispec->linux->cgroups_path, "/var/lib/isulad/engines/lcr/abcdef");
+
+ free(err);
+ free_host_config(hostspec);
+ free_oci_runtime_spec(ocispec);
+
+ testing::Mock::VerifyAndClearExpectations(&m_isulad_conf);
+}
+
+TEST_F(SpecsUnitTest, test_update_oci_ulimit)
+{
+ parser_error err = nullptr;
+ host_config *hostspec = static_cast<host_config *>(util_common_calloc_s(sizeof(host_config)));
+ ASSERT_NE(hostspec, nullptr);
+
+ char *oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE);
+ ASSERT_TRUE(oci_config_file != nullptr);
+ oci_runtime_spec *ocispec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err);
+ ASSERT_NE(ocispec, nullptr);
+
+ ASSERT_EQ(update_oci_ulimit(nullptr, nullptr), -1);
+ EXPECT_CALL(m_isulad_conf, GetUlimit(_)).WillRepeatedly(Invoke(invoke_conf_get_isulad_default_ulimit));
+ ASSERT_EQ(update_oci_ulimit(ocispec, hostspec), 0);
+ ASSERT_EQ(ocispec->process->rlimits_len, 1);
+ ASSERT_EQ(ocispec->process->rlimits[0]->hard, 8192);
+ ASSERT_EQ(ocispec->process->rlimits[0]->soft, 2048);
+ ASSERT_STREQ(ocispec->process->rlimits[0]->type, "RLIMIT_NPROC");
+ EXPECT_CALL(m_isulad_conf, GetUlimit(_)).WillRepeatedly(Invoke(invoke_conf_get_isulad_default_ulimit_empty));
+ ASSERT_EQ(update_oci_ulimit(ocispec, hostspec), 0);
+ ASSERT_EQ(ocispec->process->rlimits_len, 0);
+
+ free(err);
+ free(oci_config_file);
+ free_host_config(hostspec);
+ free_oci_runtime_spec(ocispec);
+ testing::Mock::VerifyAndClearExpectations(&m_isulad_conf);
+}
+
+TEST_F(SpecsUnitTest, test_update_devcies_for_oci_spec)
{
parser_error err = nullptr;
oci_runtime_spec *readonly_spec = oci_runtime_spec_parse_data("{\"ociVersion\": \"1.0.1\", \"linux\": \
--
2.25.1

25
iSulad.spec
View File

@ -1,5 +1,5 @@
%global _version 2.0.18
%global _release 15
%global _release 16
%global is_systemd 1
%global enable_shimv2 1
%global is_embedded 1
@ -194,6 +194,23 @@ Patch0178: 0178-remove-var-in-coverage-and-fix-build-test-remove.patch
Patch0179: 0179-code-improve-for-oci_rmi.patch
Patch0180: 0180-verify-name-and-digest-consistency.patch
Patch0181: 0181-bugfix-for-resort_image_names.patch
Patch0182: 0182-fix-stopp-removes-cont-error-remove-inspect-error-lo.patch
Patch0183: 0183-check-if-shim-log.json-is-a-symlink.patch
Patch0184: 0184-bugfix-ignore-some-unsupported-file-types-when-archi.patch
Patch0185: 0185-iSulad-restart-isuald-when-upgrade-active-isulad.patch
Patch0186: 0186-refactor-update-possible-changed-resources-for-oci-s.patch
Patch0187: 0187-add-CI-testcase-for-update-oci-spec-in-start-op.patch
Patch0188: 0188-update-annotations-and-add-ci-cases.patch
Patch0189: 0189-do-not-update-rootfs-mnt-and-umask-annotations.patch
Patch0190: 0190-update-rootfs.mnt-in-container-spec-for-system-conta.patch
Patch0191: 0191-bugfix-for-mount-point-remains-under-special-circums.patch
Patch0192: 0192-do-not-cleanup-if-the-directory-does-not-exist.patch
Patch0193: 0193-module-only-deletes-the-temporary-files-it-creates.patch
Patch0194: 0194-ensure-default-spec-has-linux-resources.patch
Patch0195: 0195-improve-dt-for-oci-device-update.patch
Patch0196: 0196-skip-devmapper-ut.patch
Patch0197: 0197-bugfix-for-cont-restart-when-iSulad-drops-original-d.patch
Patch0198: 0198-improve-dt-for-default-ulimit-change.patch
%ifarch x86_64 aarch64
Provides: libhttpclient.so()(64bit)
@ -438,6 +455,12 @@ fi
%endif
%changelog
* Tue Jan 30 2024 zhongtao <zhongtao17@huawei.com> - 2.0.18-16
- Type: bugfix
- ID: NA
- SUG: NA
- DESC: upgrade from upstream
* Fri Dec 29 2023 yangjiaqi <yangjiaqi16@huawei.com> - 2.0.18-15
- Type: bugfix
- ID: NA