From 75b3c2d3917e48acaa47a9970660371df185e28f Mon Sep 17 00:00:00 2001 From: openeuler-sync-bot Date: Mon, 5 Feb 2024 01:34:02 +0000 Subject: [PATCH] !662 [sync] PR-659: upgrade from upstream * upgrade from upstream --- ...s-cont-error-remove-inspect-error-lo.patch | 77 ++++ ...-check-if-shim-log.json-is-a-symlink.patch | 26 ++ ...me-unsupported-file-types-when-archi.patch | 60 +++ ...rt-isuald-when-upgrade-active-isulad.patch | 34 ++ ...possible-changed-resources-for-oci-s.patch | 418 ++++++++++++++++++ ...case-for-update-oci-spec-in-start-op.patch | 119 +++++ ...-update-annotations-and-add-ci-cases.patch | 166 +++++++ ...ate-rootfs-mnt-and-umask-annotations.patch | 55 +++ ...t-in-container-spec-for-system-conta.patch | 49 ++ ...-point-remains-under-special-circums.patch | 123 ++++++ ...anup-if-the-directory-does-not-exist.patch | 71 +++ ...letes-the-temporary-files-it-creates.patch | 151 +++++++ ...ure-default-spec-has-linux-resources.patch | 31 ++ 0195-improve-dt-for-oci-device-update.patch | 152 +++++++ 0196-skip-devmapper-ut.patch | 26 ++ ...restart-when-iSulad-drops-original-d.patch | 136 ++++++ ...improve-dt-for-default-ulimit-change.patch | 145 ++++++ iSulad.spec | 25 +- 18 files changed, 1863 insertions(+), 1 deletion(-) create mode 100644 0182-fix-stopp-removes-cont-error-remove-inspect-error-lo.patch create mode 100644 0183-check-if-shim-log.json-is-a-symlink.patch create mode 100644 0184-bugfix-ignore-some-unsupported-file-types-when-archi.patch create mode 100644 0185-iSulad-restart-isuald-when-upgrade-active-isulad.patch create mode 100644 0186-refactor-update-possible-changed-resources-for-oci-s.patch create mode 100644 0187-add-CI-testcase-for-update-oci-spec-in-start-op.patch create mode 100644 0188-update-annotations-and-add-ci-cases.patch create mode 100644 0189-do-not-update-rootfs-mnt-and-umask-annotations.patch create mode 100644 0190-update-rootfs.mnt-in-container-spec-for-system-conta.patch create mode 100644 0191-bugfix-for-mount-point-remains-under-special-circums.patch create mode 100644 0192-do-not-cleanup-if-the-directory-does-not-exist.patch create mode 100644 0193-module-only-deletes-the-temporary-files-it-creates.patch create mode 100644 0194-ensure-default-spec-has-linux-resources.patch create mode 100644 0195-improve-dt-for-oci-device-update.patch create mode 100644 0196-skip-devmapper-ut.patch create mode 100644 0197-bugfix-for-cont-restart-when-iSulad-drops-original-d.patch create mode 100644 0198-improve-dt-for-default-ulimit-change.patch diff --git a/0182-fix-stopp-removes-cont-error-remove-inspect-error-lo.patch b/0182-fix-stopp-removes-cont-error-remove-inspect-error-lo.patch new file mode 100644 index 0000000..b298d08 --- /dev/null +++ b/0182-fix-stopp-removes-cont-error-remove-inspect-error-lo.patch @@ -0,0 +1,77 @@ +From 9f67d23b81babd5be844d1e5abad6fbbe74a3aca Mon Sep 17 00:00:00 2001 +From: jikai +Date: Tue, 19 Dec 2023 18:31:30 +0800 +Subject: [PATCH 182/198] fix stopp removes cont error & remove inspect error + log + +Signed-off-by: jikai +--- + .../cri_pod_sandbox_manager_service_impl.cc | 36 ++++++++----------- + .../container_cb/execution_information.c | 2 +- + 2 files changed, 15 insertions(+), 23 deletions(-) + +diff --git a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc +index edf4dc81..da23cb21 100644 +--- a/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc ++++ b/src/daemon/entry/cri/cri_pod_sandbox_manager_service_impl.cc +@@ -663,30 +663,22 @@ auto PodSandboxManagerServiceImpl::GetRealSandboxIDToStop(const std::string &pod + std::map &stdAnnos, Errors &error) + -> int + { +- Errors statusErr; ++ auto status = PodSandboxStatus(podSandboxID, error); ++ if (error.NotEmpty()) { ++ return -1; ++ } + +- auto status = PodSandboxStatus(podSandboxID, statusErr); +- if (statusErr.Empty()) { +- if (status->linux().namespaces().has_options()) { +- hostNetwork = (status->linux().namespaces().options().network() == runtime::v1alpha2::NamespaceMode::NODE); +- } +- // if metadata is invalid, don't return -1 and continue stopping pod +- if (status->has_metadata()) { +- name = status->metadata().name(); +- ns = status->metadata().namespace_(); +- } +- realSandboxID = status->id(); +- CRIHelpers::ProtobufAnnoMapToStd(status->annotations(), stdAnnos); +- } else { +- if (CRIHelpers::IsContainerNotFoundError(statusErr.GetMessage())) { +- WARN("Both sandbox container and checkpoint for id %s could not be found. " +- "Proceed without further sandbox information.", +- podSandboxID.c_str()); +- } else { +- error.Errorf("failed to get sandbox status: %s", statusErr.GetCMessage()); +- return -1; +- } ++ if (status->linux().namespaces().has_options()) { ++ hostNetwork = (status->linux().namespaces().options().network() == runtime::v1alpha2::NamespaceMode::NODE); + } ++ // if metadata is invalid, don't return -1 and continue stopping pod ++ if (status->has_metadata()) { ++ name = status->metadata().name(); ++ ns = status->metadata().namespace_(); ++ } ++ realSandboxID = status->id(); ++ CRIHelpers::ProtobufAnnoMapToStd(status->annotations(), stdAnnos); ++ + if (realSandboxID.empty()) { + realSandboxID = podSandboxID; + } +diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c +index ba33bdfa..6489797d 100644 +--- a/src/daemon/executor/container_cb/execution_information.c ++++ b/src/daemon/executor/container_cb/execution_information.c +@@ -909,7 +909,7 @@ static int inspect_container_helper(const char *id, int timeout, char **containe + + inspect = inspect_container(id, timeout, true); + if (inspect == NULL) { +- ERROR("Failed to inspect container:%s", id); ++ DEBUG("Failed to inspect container:%s", id); + ret = -1; + goto out; + } +-- +2.25.1 + diff --git a/0183-check-if-shim-log.json-is-a-symlink.patch b/0183-check-if-shim-log.json-is-a-symlink.patch new file mode 100644 index 0000000..7ab724c --- /dev/null +++ b/0183-check-if-shim-log.json-is-a-symlink.patch @@ -0,0 +1,26 @@ +From c8d940c54bd1183ffbe918f75af063a90e8677d4 Mon Sep 17 00:00:00 2001 +From: jikai +Date: Sun, 24 Dec 2023 14:04:19 +0800 +Subject: [PATCH 183/198] check if shim-log.json is a symlink + +Signed-off-by: jikai +--- + src/cmd/isulad-shim/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cmd/isulad-shim/common.c b/src/cmd/isulad-shim/common.c +index 4a84cf40..2c0a4e3a 100644 +--- a/src/cmd/isulad-shim/common.c ++++ b/src/cmd/isulad-shim/common.c +@@ -33,7 +33,7 @@ int g_log_fd = -1; + + int init_shim_log(void) + { +- g_log_fd = open_no_inherit(SHIM_LOG_NAME, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0640); ++ g_log_fd = open_no_inherit(SHIM_LOG_NAME, O_CREAT | O_WRONLY | O_APPEND | O_SYNC | O_NOFOLLOW, 0640); + if (g_log_fd < 0) { + return SHIM_ERR; + } +-- +2.25.1 + diff --git a/0184-bugfix-ignore-some-unsupported-file-types-when-archi.patch b/0184-bugfix-ignore-some-unsupported-file-types-when-archi.patch new file mode 100644 index 0000000..2751bfe --- /dev/null +++ b/0184-bugfix-ignore-some-unsupported-file-types-when-archi.patch @@ -0,0 +1,60 @@ +From 6d602103ad975c51f2ec844c89f5e87f82768849 Mon Sep 17 00:00:00 2001 +From: l00804245 +Date: Tue, 2 Jan 2024 10:39:24 +0800 +Subject: [PATCH 184/198] bugfix:ignore some unsupported file types when + archiving + +--- + src/utils/tar/util_archive.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c +index 19cfdd12..86947c0b 100644 +--- a/src/utils/tar/util_archive.c ++++ b/src/utils/tar/util_archive.c +@@ -1055,6 +1055,29 @@ static void link_kvfree(void *key, void *value) + return; + } + ++static bool check_archive_write_entry_filetype_unsupported(struct archive_entry *entry) ++{ ++ bool unsupported = true; ++ /* ++ * The file types to be archived must comply with the pax interchange format, ++ * the following switch-case lists the file types that meet the standard, ++ * the socket and other file types do not meet the standard, therefore, archiving is not supported. ++ */ ++ switch (archive_entry_filetype(entry)) { ++ case AE_IFBLK: ++ case AE_IFCHR: ++ case AE_IFIFO: ++ case AE_IFLNK: ++ case AE_IFREG: ++ case AE_IFDIR: ++ unsupported = false; ++ break; ++ default: /* AE_IFSOCK and unknown */ ++ break; ++ } ++ return unsupported; ++} ++ + int tar_handler(struct archive *r, struct archive *w, const char *src_base, const char *dst_base) + { + int ret = ARCHIVE_OK; +@@ -1094,6 +1117,12 @@ int tar_handler(struct archive *r, struct archive *w, const char *src_base, cons + ret = ARCHIVE_FAILED; + break; + } ++ ++ if (check_archive_write_entry_filetype_unsupported(entry)) { ++ WARN("%s ignored", archive_entry_pathname(entry)); ++ continue; ++ } ++ + ret = archive_write_header(w, entry); + if (ret != ARCHIVE_OK) { + ERROR("Fail to write tar header: %s.\nlink:%s target:%s", archive_error_string(w), +-- +2.25.1 + diff --git a/0185-iSulad-restart-isuald-when-upgrade-active-isulad.patch b/0185-iSulad-restart-isuald-when-upgrade-active-isulad.patch new file mode 100644 index 0000000..4f45a6b --- /dev/null +++ b/0185-iSulad-restart-isuald-when-upgrade-active-isulad.patch @@ -0,0 +1,34 @@ +From 5e125dd63c18e434c684939147717a3a6440b471 Mon Sep 17 00:00:00 2001 +From: yangjiaqi +Date: Thu, 28 Dec 2023 16:02:32 +0800 +Subject: [PATCH 185/198] iSulad: restart isuald when upgrade active isulad + +Signed-off-by: yangjiaqi +--- + iSulad.spec | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/iSulad.spec b/iSulad.spec +index d3799784..68590a2c 100644 +--- a/iSulad.spec ++++ b/iSulad.spec +@@ -167,6 +167,16 @@ if [ -e %{_unitdir}/lcrd.service.rpmsave ]; then + mv %{_unitdir}/lcrd.service.rpmsave %{_unitdir}/isulad.service + sed -i 's/lcrd/isulad/g' %{_unitdir}/isulad.service + fi ++# During the isulad upgrade process, the isulad service may still be running, but the service may be unavailable ++# due to configuration updates and other reasons. ++# it may fail if the X package is upgraded synchronously with isulad and depends on the isulad command, ++# For example syscontianer-tools and lxcfs-tools. ++# Therefore, after upgrading isulad, if the original status of isulad is running, ++# we need to restart isulad to ensure that the service is available during the upgrade process. ++systemctl status isulad | grep 'Active:' | grep 'running' ++if [ $? -eq 0 ]; then ++ systemctl restart isulad ++fi + %else + /sbin/service isulad status | grep 'Active:' | grep 'running' + if [ $? -eq 0 ]; then +-- +2.25.1 + diff --git a/0186-refactor-update-possible-changed-resources-for-oci-s.patch b/0186-refactor-update-possible-changed-resources-for-oci-s.patch new file mode 100644 index 0000000..7915143 --- /dev/null +++ b/0186-refactor-update-possible-changed-resources-for-oci-s.patch @@ -0,0 +1,418 @@ +From 8ba1adc1b19692eb65051adac069ea2a14a62f3d Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Tue, 17 Oct 2023 15:52:11 +0800 +Subject: [PATCH 186/198] [refactor] update possible changed resources for oci + spec + +Signed-off-by: haozi007 +--- + src/cmd/isulad/main.c | 5 + + src/daemon/modules/api/specs_api.h | 4 + + .../modules/service/service_container.c | 68 ++++++++-- + src/daemon/modules/spec/specs.c | 38 +++++- + src/daemon/modules/spec/specs_mount.c | 120 ++++++++++++++++-- + src/daemon/modules/spec/specs_mount.h | 6 +- + .../image/oci/oci_config_merge/CMakeLists.txt | 4 + + 7 files changed, 221 insertions(+), 24 deletions(-) + +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index 05e899f6..1bcef43f 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -1372,6 +1372,11 @@ static int isulad_server_init_common() + goto out; + } + ++ if (spec_module_init() != 0) { ++ ERROR("Failed to init spec module"); ++ goto out; ++ } ++ + if (containers_store_init()) { + ERROR("Failed to init containers store"); + goto out; +diff --git a/src/daemon/modules/api/specs_api.h b/src/daemon/modules/api/specs_api.h +index 0a594d81..f48f0bda 100644 +--- a/src/daemon/modules/api/specs_api.h ++++ b/src/daemon/modules/api/specs_api.h +@@ -40,6 +40,10 @@ int parse_security_opt(const host_config *host_spec, bool *no_new_privileges, ch + int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec, + const container_config_v2_common_config_network_settings *network_settings); + ++const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container); ++ ++int spec_module_init(void); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 58b27f90..a5c12862 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -13,19 +13,11 @@ + * Description: provide container supervisor functions + ******************************************************************************/ + #define _GNU_SOURCE +-#include + #include + #include + #include + #include + #include +-#include +-#include +-#include +-#include +-#include +-#include +-#include + #include + #include + #include +@@ -35,15 +27,28 @@ + #include + #include + #include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include + + #include "service_container_api.h" +-#include "isula_libutils/log.h" + #include "utils.h" + #include "err_msg.h" + #include "events_sender_api.h" + #include "image_api.h" + #include "specs_api.h" + #include "specs_mount.h" ++#include "specs_extend.h" + #include "isulad_config.h" + #include "verify.h" + #include "plugin_api.h" +@@ -678,6 +683,43 @@ out: + epoll_loop_close(&descr); + } + ++static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, host_config *hostconfig) ++{ ++ char *cgroup_parent = NULL; ++ int ret; ++ ++ // If isulad daemon cgroup parent updated, we should update this config into oci spec ++ cgroup_parent = merge_container_cgroups_path(id, hostconfig); ++ if (cgroup_parent == NULL) { ++ return -1; ++ } ++ if (oci_spec->linux->cgroups_path != NULL && strcmp(oci_spec->linux->cgroups_path, cgroup_parent) != 0) { ++ free(oci_spec->linux->cgroups_path); ++ oci_spec->linux->cgroups_path = cgroup_parent; ++ cgroup_parent = NULL; ++ } ++ free(cgroup_parent); ++ ++ // For Linux.Resources, isula update will save changes into oci spec; ++ // so we just skip it; ++ ++ // Remove old devices and update all devices ++ ret = update_devcies_for_oci_spec(oci_spec, hostconfig); ++ if (ret != 0) { ++ ERROR("Failed to do update devices for oci spec"); ++ return -1; ++ } ++ ++ // If isulad daemon ulimit updated, we should update this config into oci spec. ++ if (merge_global_ulimit(oci_spec) != 0) { ++ return -1; ++ } ++ ++ // renew_oci_config() will update process->user and share namespace after. ++ ++ return 0; ++} ++ + static int do_start_container(container_t *cont, const char *console_fifos[], bool reset_rm, pid_ppid_info_t *pid_info) + { + int ret = 0; +@@ -752,6 +794,14 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + goto close_exit_fd; + } + ++ // Update possible changes ++ nret = do_oci_spec_update(id, oci_spec, cont->hostconfig); ++ if (nret != 0) { ++ ERROR("Failed to update possible changes for oci spec"); ++ ret = -1; ++ goto close_exit_fd; ++ } ++ + nret = setup_ipc_dirs(cont->hostconfig, cont->common_config); + if (nret != 0) { + ERROR("Failed to setup ipc dirs"); +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index 0c7d58b3..316e9c92 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -17,6 +17,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -76,6 +78,13 @@ + #define CLONE_NEWCGROUP 0x02000000 + #endif + ++struct readonly_default_oci_spec { ++ oci_runtime_spec *cont; ++ oci_runtime_spec *system_cont; ++}; ++ ++static struct readonly_default_oci_spec g_rdspec; ++ + static int make_sure_oci_spec_annotations(oci_runtime_spec *oci_spec) + { + if (oci_spec->annotations == NULL) { +@@ -1714,7 +1723,12 @@ static int merge_resources_conf(oci_runtime_spec *oci_spec, host_config *host_sp + goto out; + } + +- ret = merge_conf_device(oci_spec, host_spec); ++ ret = merge_conf_blkio_device(oci_spec, host_spec); ++ if (ret != 0) { ++ goto out; ++ } ++ ++ ret = merge_conf_devices(oci_spec, host_spec); + if (ret != 0) { + goto out; + } +@@ -2328,3 +2342,25 @@ out_free: + free(json_container); + return ret; + } ++ ++const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container) ++{ ++ if (system_container) { ++ return g_rdspec.system_cont; ++ } ++ ++ return g_rdspec.cont; ++} ++ ++int spec_module_init(void) ++{ ++ g_rdspec.cont = default_spec(false); ++ if (g_rdspec.cont == NULL) { ++ return -1; ++ } ++ g_rdspec.system_cont = default_spec(true); ++ if (g_rdspec.system_cont == NULL) { ++ return -1; ++ } ++ return 0; ++} +\ No newline at end of file +diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c +index cd3a5c9d..8bff6cda 100644 +--- a/src/daemon/modules/spec/specs_mount.c ++++ b/src/daemon/modules/spec/specs_mount.c +@@ -53,6 +53,7 @@ + #include "image_api.h" + #include "volume_api.h" + #include "parse_volume.h" ++#include "specs_api.h" + + enum update_rw { + update_rw_untouch, +@@ -2212,7 +2213,24 @@ out: + return ret; + } + +-int merge_conf_device(oci_runtime_spec *oci_spec, host_config *host_spec) ++int merge_conf_devices(oci_runtime_spec *oci_spec, host_config *host_spec) ++{ ++ /* devices which will be populated into container */ ++ if (merge_conf_populate_device(oci_spec, host_spec)) { ++ ERROR("Merge user define devices failed"); ++ return -1; ++ } ++ ++ /* device cgroup rules which will be added into container */ ++ if (merge_conf_device_cgroup_rule(oci_spec, host_spec)) { ++ ERROR("Merge user define device cgroup rules failed"); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int merge_conf_blkio_device(oci_runtime_spec *oci_spec, host_config *host_spec) + { + int ret = 0; + +@@ -2270,18 +2288,6 @@ int merge_conf_device(oci_runtime_spec *oci_spec, host_config *host_spec) + } + } + +- /* devices which will be populated into container */ +- if (merge_conf_populate_device(oci_spec, host_spec)) { +- ret = -1; +- goto out; +- } +- +- /* device cgroup rules which will be added into container */ +- if (merge_conf_device_cgroup_rule(oci_spec, host_spec)) { +- ret = -1; +- goto out; +- } +- + out: + return ret; + } +@@ -3488,3 +3494,91 @@ out: + free(mntparent); + return ret; + } ++ ++int update_devcies_for_oci_spec(oci_runtime_spec *oci_spec, host_config *hostconfig) ++{ ++ const oci_runtime_spec *readonly_spec = NULL; ++ size_t i; ++ int ret; ++ ++ // Step1: get default oci spec config ++ readonly_spec = get_readonly_default_oci_spec(hostconfig->system_container); ++ ++ // Step2: clear oci_spec devices items ++ for (i = 0; i < oci_spec->linux->devices_len; i++) { ++ free_defs_device(oci_spec->linux->devices[i]); ++ oci_spec->linux->devices[i] = NULL; ++ } ++ // Step3: if default devices length more than old spec, just realloc memory ++ if (readonly_spec->linux->devices_len > oci_spec->linux->devices_len) { ++ free(oci_spec->linux->devices); ++ oci_spec->linux->devices = util_smart_calloc_s(sizeof(defs_device *), readonly_spec->linux->devices_len); ++ if (oci_spec->linux->devices == NULL) { ++ oci_spec->linux->devices_len = 0; ++ ERROR("Out of memory"); ++ return -1; ++ } ++ } ++ oci_spec->linux->devices_len = 0; ++ // Step4: copy default devices to oci spec ++ for (i = 0; i < readonly_spec->linux->devices_len; i++) { ++ defs_device *tmp_dev = util_common_calloc_s(sizeof(defs_device)); ++ if (tmp_dev == NULL) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ tmp_dev->type = util_strdup_s(readonly_spec->linux->devices[i]->type); ++ tmp_dev->path = util_strdup_s(readonly_spec->linux->devices[i]->path); ++ tmp_dev->file_mode = readonly_spec->linux->devices[i]->file_mode; ++ tmp_dev->major = readonly_spec->linux->devices[i]->major; ++ tmp_dev->minor = readonly_spec->linux->devices[i]->minor; ++ tmp_dev->uid = readonly_spec->linux->devices[i]->uid; ++ tmp_dev->gid = readonly_spec->linux->devices[i]->gid; ++ oci_spec->linux->devices[i] = tmp_dev; ++ oci_spec->linux->devices_len += 1; ++ } ++ ++ // Step5: clear oci_spec device cgroup rules ++ for (i = 0; i < oci_spec->linux->resources->devices_len; i++) { ++ free_defs_device_cgroup(oci_spec->linux->resources->devices[i]); ++ oci_spec->linux->resources->devices[i] = NULL; ++ } ++ // Step6: if default devices lenght more than old spec, just realloc memory ++ if (readonly_spec->linux->resources->devices_len > oci_spec->linux->resources->devices_len) { ++ free(oci_spec->linux->resources->devices); ++ oci_spec->linux->resources->devices = util_smart_calloc_s(sizeof(defs_device_cgroup *), ++ readonly_spec->linux->resources->devices_len); ++ if (oci_spec->linux->resources->devices == NULL) { ++ oci_spec->linux->resources->devices_len = 0; ++ ERROR("Out of memory"); ++ return -1; ++ } ++ } ++ oci_spec->linux->resources->devices_len = 0; ++ // Step7: copy default device cgroup rules to oci spec ++ for (i = 0; i < readonly_spec->linux->resources->devices_len; i++) { ++ defs_device_cgroup *tmp_dev_cg = util_common_calloc_s(sizeof(defs_device_cgroup)); ++ if (tmp_dev_cg == NULL) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ tmp_dev_cg->allow = readonly_spec->linux->resources->devices[i]->allow; ++ tmp_dev_cg->major = readonly_spec->linux->resources->devices[i]->major; ++ tmp_dev_cg->minor = readonly_spec->linux->resources->devices[i]->minor; ++ tmp_dev_cg->type = util_strdup_s(readonly_spec->linux->resources->devices[i]->type); ++ tmp_dev_cg->access = util_strdup_s(readonly_spec->linux->resources->devices[i]->access); ++ oci_spec->linux->resources->devices[i] = tmp_dev_cg; ++ oci_spec->linux->resources->devices_len += 1; ++ } ++ ++ // Step8: do update devices and cgroup device rules at here ++ if (hostconfig->privileged) { ++ // Step8.1: for priviledged container, we should merge all devices under /dev ++ ret = merge_all_devices_and_all_permission(oci_spec); ++ } else { ++ // Step8.2: for common container, we should merge devices defined by user in hostconfig ++ ret = merge_conf_devices(oci_spec, hostconfig); ++ } ++ ++ return ret; ++} +\ No newline at end of file +diff --git a/src/daemon/modules/spec/specs_mount.h b/src/daemon/modules/spec/specs_mount.h +index 8a28f0e2..b742ca35 100644 +--- a/src/daemon/modules/spec/specs_mount.h ++++ b/src/daemon/modules/spec/specs_mount.h +@@ -41,10 +41,14 @@ int set_mounts_readwrite_option(const oci_runtime_spec *oci_spec); + + int merge_all_devices_and_all_permission(oci_runtime_spec *oci_spec); + +-int merge_conf_device(oci_runtime_spec *oci_spec, host_config *host_spec); ++int merge_conf_devices(oci_runtime_spec *oci_spec, host_config *host_spec); ++ ++int merge_conf_blkio_device(oci_runtime_spec *oci_spec, host_config *host_spec); + + int setup_ipc_dirs(host_config *host_spec, container_config_v2_common_config *v2_spec); + ++int update_devcies_for_oci_spec(oci_runtime_spec *oci_spec, host_config *hostconfig); ++ + #ifdef __cplusplus + } + #endif +diff --git a/test/image/oci/oci_config_merge/CMakeLists.txt b/test/image/oci/oci_config_merge/CMakeLists.txt +index 42cd2e78..d76de35d 100644 +--- a/test/image/oci/oci_config_merge/CMakeLists.txt ++++ b/test/image/oci/oci_config_merge/CMakeLists.txt +@@ -31,7 +31,11 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../test/mocks/namespace_mock.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../test/mocks/container_unix_mock.cc + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/parse_volume.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/specs.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/parse_volume.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/specs_mount.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/specs_extend.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/spec/specs_security.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/volume/volume.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/daemon/modules/volume/local.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../test/mocks/selinux_label_mock.cc +-- +2.25.1 + diff --git a/0187-add-CI-testcase-for-update-oci-spec-in-start-op.patch b/0187-add-CI-testcase-for-update-oci-spec-in-start-op.patch new file mode 100644 index 0000000..ff57442 --- /dev/null +++ b/0187-add-CI-testcase-for-update-oci-spec-in-start-op.patch @@ -0,0 +1,119 @@ +From 005ef1dfc270fdaf4be4d7f9cdf5251daf66c663 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Sat, 28 Oct 2023 10:57:13 +0800 +Subject: [PATCH 187/198] add CI testcase for update oci spec in start op + +Signed-off-by: haozi007 +--- + .../container_cases/dev_cgroup_rule.sh | 50 ++++++++++++++++++- + CI/test_cases/container_cases/ulimit.sh | 13 +++++ + 2 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/CI/test_cases/container_cases/dev_cgroup_rule.sh b/CI/test_cases/container_cases/dev_cgroup_rule.sh +index 651433c0..839a546c 100755 +--- a/CI/test_cases/container_cases/dev_cgroup_rule.sh ++++ b/CI/test_cases/container_cases/dev_cgroup_rule.sh +@@ -25,8 +25,10 @@ source ../helpers.sh + function test_cpu_dev_cgoup_rule_spec() + { + local ret=0 ++ local runtime=$1 + local image="busybox" +- local test="container device cgroup rule test => (${FUNCNAME[@]})" ++ local test="container device cgroup rule test with (${runtime}) => (${FUNCNAME[@]})" ++ local test_dev="/dev/testA" + + msg_info "${test} starting..." + +@@ -36,6 +38,47 @@ function test_cpu_dev_cgoup_rule_spec() + isula images | grep busybox + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - missing list image: ${image}" && ((ret++)) + ++ rm -f $test_dev ++ priv_cid=$(isula run -tid --privileged --runtime $runtime $image /bin/sh) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run priviledged container failed" && ((ret++)) ++ priv_major_88_cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$priv_cid/config.json | grep "major\": 88" | wc -l) ++ priv_minor_88_cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$priv_cid/config.json | grep "minor\": 88" | wc -l) ++ ++ mknod $test_dev c 88 88 ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - mknod failed" && ((ret++)) ++ isula restart -t 0 $priv_cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart priviledge container failed" && ((ret++)) ++ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$priv_cid/config.json | grep "major\": 88" | wc -l) ++ [[ $? -ne 0 ]]&& [[ $cnt -le $priv_major_88_cnt ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device major failed" && ((ret++)) ++ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$priv_cid/config.json | grep "minor\": 88" | wc -l) ++ [[ $? -ne 0 ]] && [[ $cnt -le $priv_minor_88_cnt ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++)) ++ isula rm -f $priv_cid ++ ++ cid=$(isula run -tid --device "$test_dev:$test_dev" --runtime $runtime $image /bin/sh) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run container failed" && ((ret++)) ++ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "major\": 88" | wc -l) ++ [[ $? -ne 0 ]]&& [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device major failed" && ((ret++)) ++ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "minor\": 88" | wc -l) ++ [[ $? -ne 0 ]] && [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++)) ++ isula exec -it $cid sh -c "cat /sys/fs/cgroup/devices/devices.list" | grep "c 88:88 rwm" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to check c 88:88 rwm: ${image}" && ((ret++)) ++ isula stop -t 0 $cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop container failed" && ((ret++)) ++ rm -f $test_dev ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - rm device failed" && ((ret++)) ++ mknod $test_dev c 99 99 ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - mknod failed" && ((ret++)) ++ isula start $cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start container failed" && ((ret++)) ++ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "major\": 99" | wc -l) ++ [[ $? -ne 0 ]]&& [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device major failed" && ((ret++)) ++ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "minor\": 99" | wc -l) ++ [[ $? -ne 0 ]] && [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++)) ++ isula exec -it $cid sh -c "cat /sys/fs/cgroup/devices/devices.list" | grep "c 99:99 rwm" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to check c 99:99 rwm: ${image}" && ((ret++)) ++ isula rm -f $cid ++ rm -f $test_dev ++ + isula run -itd --device-cgroup-rule='b *:*' busybox 2>&1 | grep "Invalid value" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - Invalid value" && ((ret++)) + +@@ -93,6 +136,9 @@ function test_cpu_dev_cgoup_rule_spec() + + declare -i ans=0 + +-test_cpu_dev_cgoup_rule_spec || ((ans++)) ++for element in ${RUNTIME_LIST[@]}; ++do ++ test_cpu_dev_cgoup_rule_spec $element || ((ans++)) ++done + + show_result ${ans} "${curr_path}/${0}" +diff --git a/CI/test_cases/container_cases/ulimit.sh b/CI/test_cases/container_cases/ulimit.sh +index 29868041..f823dc1c 100755 +--- a/CI/test_cases/container_cases/ulimit.sh ++++ b/CI/test_cases/container_cases/ulimit.sh +@@ -33,12 +33,25 @@ function test_ulimit() + local test="ulimit test with (${runtime})=> (${FUNCNAME[@]})" + msg_info "${test} starting..." + ++ cid=$(isula run -tid --runtime $runtime $image /bin/sh) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check failed" && ((ret++)) ++ cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "RLIMIT_" ++ [[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check rlimit failed" && ((ret++)) ++ + check_valgrind_log + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) + + start_isulad_with_valgrind --default-ulimit nproc=2048:4096 --default-ulimit nproc=2048:8192 --default-ulimit nofile=1024:4096 + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) + ++ # if default ulimit of isulad changed, isula start should do update ulimit of oci spec ++ isula restart -t 0 $cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart failed" && ((ret++)) ++ cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "RLIMIT_" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check rlimit failed after restart" && ((ret++)) ++ isula rm -f $cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - rm container failed" && ((ret++)) ++ + isula run --ulimit nproc= $image --runtime $runtime /bin/sh > $ulimitlog 2>&1 + cat $ulimitlog | grep "delimiter '=' can't be the first or the last character" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check failed" && ((ret++)) +-- +2.25.1 + diff --git a/0188-update-annotations-and-add-ci-cases.patch b/0188-update-annotations-and-add-ci-cases.patch new file mode 100644 index 0000000..9fa6409 --- /dev/null +++ b/0188-update-annotations-and-add-ci-cases.patch @@ -0,0 +1,166 @@ +From b3373e04e420d448bb638407f9d36c5033f85f14 Mon Sep 17 00:00:00 2001 +From: jikai +Date: Sat, 20 Jan 2024 13:32:22 +0800 +Subject: [PATCH 188/198] update annotations and add ci cases + +Signed-off-by: jikai +--- + .../container_cases/dev_cgroup_rule.sh | 24 ++++++++++++ + src/daemon/modules/api/specs_api.h | 2 + + .../modules/service/service_container.c | 18 ++++++++- + src/daemon/modules/spec/specs.c | 38 +++++++++++++++++++ + 4 files changed, 80 insertions(+), 2 deletions(-) + +diff --git a/CI/test_cases/container_cases/dev_cgroup_rule.sh b/CI/test_cases/container_cases/dev_cgroup_rule.sh +index 839a546c..5616d37a 100755 +--- a/CI/test_cases/container_cases/dev_cgroup_rule.sh ++++ b/CI/test_cases/container_cases/dev_cgroup_rule.sh +@@ -29,6 +29,9 @@ function test_cpu_dev_cgoup_rule_spec() + local image="busybox" + local test="container device cgroup rule test with (${runtime}) => (${FUNCNAME[@]})" + local test_dev="/dev/testA" ++ local default_config="/etc/default/isulad/config.json" ++ local default_config_bak="/etc/default/isulad/config.json.bak" ++ local test_cgroup_parent="/testABC" + + msg_info "${test} starting..." + +@@ -54,6 +57,27 @@ function test_cpu_dev_cgoup_rule_spec() + [[ $? -ne 0 ]] && [[ $cnt -le $priv_minor_88_cnt ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++)) + isula rm -f $priv_cid + ++ def_cid=$(isula run -tid --runtime $runtime -m 10m $image /bin/sh) ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run container failed" && ((ret++)) ++ cp $default_config $default_config_bak ++ sed -i '/"linux": {/a \ \t\t"devices": [\n\t\t{\n\t\t\t"type": "c",\n\t\t\t"path": "\/dev\/testABC",\n\t\t\t"major": 88,\n\t\t\t"minor": 88\n\t\t}\n\t\t],' $default_config ++ stop_isulad_without_valgrind ++ start_isulad_with_valgrind --cgroup-parent $test_cgroup_parent ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ isula restart -t 0 $def_cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart container failed" && ((ret++)) ++ cat /sys/fs/cgroup/memory/$test_cgroup_parent/$def_cid/memory.limit_in_bytes | grep ^10485760$ ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - --cgroup-parent cannot work" && ((ret++)) ++ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$def_cid/config.json | grep "major\": 88" | wc -l) ++ [[ $? -ne 0 ]]&& [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device major failed" && ((ret++)) ++ cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$def_cid/config.json | grep "minor\": 88" | wc -l) ++ [[ $? -ne 0 ]] && [[ $cnt -ne 2 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check device minor failed" && ((ret++)) ++ isula rm -f $def_cid ++ cp $default_config_bak $default_config ++ stop_isulad_without_valgrind ++ start_isulad_with_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ + cid=$(isula run -tid --device "$test_dev:$test_dev" --runtime $runtime $image /bin/sh) + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run container failed" && ((ret++)) + cnt=$(cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "major\": 88" | wc -l) +diff --git a/src/daemon/modules/api/specs_api.h b/src/daemon/modules/api/specs_api.h +index f48f0bda..1a5a6ecc 100644 +--- a/src/daemon/modules/api/specs_api.h ++++ b/src/daemon/modules/api/specs_api.h +@@ -40,6 +40,8 @@ int parse_security_opt(const host_config *host_spec, bool *no_new_privileges, ch + int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_spec, + const container_config_v2_common_config_network_settings *network_settings); + ++int update_spec_annotations(oci_runtime_spec *oci_spec, container_config *container_spec, host_config *host_spec); ++ + const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container); + + int spec_module_init(void); +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index a5c12862..99e94e81 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -683,11 +683,18 @@ out: + epoll_loop_close(&descr); + } + +-static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, host_config *hostconfig) ++static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, container_config *container_spec, host_config *hostconfig) + { + char *cgroup_parent = NULL; + int ret; + ++ // First renew annotations for oci spec, cgroup path, rootfs.mount, native.mask ++ // for iSulad daemon might get updated ++ ret = update_spec_annotations(oci_spec, container_spec, hostconfig); ++ if (ret < 0) { ++ return -1; ++ } ++ + // If isulad daemon cgroup parent updated, we should update this config into oci spec + cgroup_parent = merge_container_cgroups_path(id, hostconfig); + if (cgroup_parent == NULL) { +@@ -795,13 +802,20 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + } + + // Update possible changes +- nret = do_oci_spec_update(id, oci_spec, cont->hostconfig); ++ nret = do_oci_spec_update(id, oci_spec, cont->common_config->config, cont->hostconfig); + if (nret != 0) { + ERROR("Failed to update possible changes for oci spec"); + ret = -1; + goto close_exit_fd; + } + ++ nret = container_to_disk(cont); ++ if (nret != 0) { ++ ERROR("Failed to save container info to disk"); ++ ret = -1; ++ goto close_exit_fd; ++ } ++ + nret = setup_ipc_dirs(cont->hostconfig, cont->common_config); + if (nret != 0) { + ERROR("Failed to setup ipc dirs"); +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index 316e9c92..8a112496 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -386,6 +386,44 @@ out: + return ret; + } + ++int update_spec_annotations(oci_runtime_spec *oci_spec, container_config *container_spec, host_config *host_spec) ++{ ++ int ret = 0; ++ if (oci_spec == NULL || container_spec == NULL || host_spec == NULL) { ++ return -1; ++ } ++ ++ ret = make_sure_container_spec_annotations(container_spec); ++ if (ret < 0) { ++ return -1; ++ } ++ ++ ret = make_annotations_cgroup_dir(container_spec, host_spec); ++ if (ret != 0) { ++ return -1; ++ } ++ ++ /* add rootfs.mount */ ++ ret = add_rootfs_mount(container_spec); ++ if (ret != 0) { ++ ERROR("Failed to add rootfs mount"); ++ return -1; ++ } ++ ++ /* add native.umask */ ++ ret = add_native_umask(container_spec); ++ if (ret != 0) { ++ ERROR("Failed to add native umask"); ++ return -1; ++ } ++ ++ if (merge_annotations(oci_spec, container_spec)) { ++ return -1; ++ } ++ ++ return 0; ++} ++ + /* default_spec returns default oci spec used by isulad. */ + oci_runtime_spec *default_spec(bool system_container) + { +-- +2.25.1 + diff --git a/0189-do-not-update-rootfs-mnt-and-umask-annotations.patch b/0189-do-not-update-rootfs-mnt-and-umask-annotations.patch new file mode 100644 index 0000000..bf869d9 --- /dev/null +++ b/0189-do-not-update-rootfs-mnt-and-umask-annotations.patch @@ -0,0 +1,55 @@ +From bd64c224c588a4aea6ff8f28ffa3285d7dcf296b Mon Sep 17 00:00:00 2001 +From: jikai +Date: Mon, 22 Jan 2024 20:19:29 +0800 +Subject: [PATCH 189/198] do not update rootfs mnt and umask annotations + +Signed-off-by: jikai +--- + src/daemon/modules/service/service_container.c | 4 ++-- + src/daemon/modules/spec/specs.c | 15 ++------------- + 2 files changed, 4 insertions(+), 15 deletions(-) + +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 99e94e81..d2802db0 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -688,8 +688,8 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai + char *cgroup_parent = NULL; + int ret; + +- // First renew annotations for oci spec, cgroup path, rootfs.mount, native.mask +- // for iSulad daemon might get updated ++ // Renew annotations for oci spec, cgroup path only, ++ // since lxc uses the "cgroup.dir" in oci annotations to create cgroup + ret = update_spec_annotations(oci_spec, container_spec, hostconfig); + if (ret < 0) { + return -1; +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index 8a112496..781282f5 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -403,19 +403,8 @@ int update_spec_annotations(oci_runtime_spec *oci_spec, container_config *contai + return -1; + } + +- /* add rootfs.mount */ +- ret = add_rootfs_mount(container_spec); +- if (ret != 0) { +- ERROR("Failed to add rootfs mount"); +- return -1; +- } +- +- /* add native.umask */ +- ret = add_native_umask(container_spec); +- if (ret != 0) { +- ERROR("Failed to add native umask"); +- return -1; +- } ++ // other annotations will either not be updated after containers created ++ // or for rootfs mnt and umask, we do not support the update operation + + if (merge_annotations(oci_spec, container_spec)) { + return -1; +-- +2.25.1 + diff --git a/0190-update-rootfs.mnt-in-container-spec-for-system-conta.patch b/0190-update-rootfs.mnt-in-container-spec-for-system-conta.patch new file mode 100644 index 0000000..14fe366 --- /dev/null +++ b/0190-update-rootfs.mnt-in-container-spec-for-system-conta.patch @@ -0,0 +1,49 @@ +From 8d760da7f5f58c8caa0e8546f33f02dfcd473185 Mon Sep 17 00:00:00 2001 +From: jikai +Date: Tue, 23 Jan 2024 14:25:17 +0800 +Subject: [PATCH 190/198] update rootfs.mnt in container spec for system + container + +Signed-off-by: jikai +--- + src/daemon/executor/container_cb/execution_create.c | 7 +++++-- + src/daemon/modules/service/service_container.c | 1 + + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c +index d5e54aaf..a0b3fd9e 100644 +--- a/src/daemon/executor/container_cb/execution_create.c ++++ b/src/daemon/executor/container_cb/execution_create.c +@@ -564,12 +564,15 @@ static int merge_config_for_syscontainer(const container_create_request *request + value = request->rootfs; + } + +- if (append_json_map_string_string(oci_spec->annotations, "rootfs.mount", value)) { ++ // should also update to container spec ++ if (append_json_map_string_string(container_spec->annotations, "rootfs.mount", value) ++ || append_json_map_string_string(oci_spec->annotations, "rootfs.mount", value)) { + ERROR("Realloc annotations failed"); + ret = -1; + goto out; + } +- if (request->rootfs != NULL && append_json_map_string_string(oci_spec->annotations, "external.rootfs", "true")) { ++ if (request->rootfs != NULL && (append_json_map_string_string(container_spec->annotations, "external.rootfs", "true") ++ || append_json_map_string_string(oci_spec->annotations, "external.rootfs", "true"))) { + ERROR("Realloc annotations failed"); + ret = -1; + goto out; +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index d2802db0..534a0a1d 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -690,6 +690,7 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai + + // Renew annotations for oci spec, cgroup path only, + // since lxc uses the "cgroup.dir" in oci annotations to create cgroup ++ // should ensure that container spec has the same annotations as oci spec + ret = update_spec_annotations(oci_spec, container_spec, hostconfig); + if (ret < 0) { + return -1; +-- +2.25.1 + diff --git a/0191-bugfix-for-mount-point-remains-under-special-circums.patch b/0191-bugfix-for-mount-point-remains-under-special-circums.patch new file mode 100644 index 0000000..cae12b0 --- /dev/null +++ b/0191-bugfix-for-mount-point-remains-under-special-circums.patch @@ -0,0 +1,123 @@ +From a733a9ef962aa003f5475d9494c853f900a66ed3 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Thu, 25 Jan 2024 11:24:59 +0800 +Subject: [PATCH 191/198] bugfix for mount point remains under special + circumstances + +Signed-off-by: zhongtao +--- + src/cmd/isulad/main.c | 14 +++++++------- + .../modules/container/leftover_cleanup/cleanup.c | 14 +++++++------- + src/utils/tar/util_archive.c | 14 +++++++------- + 3 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index 1bcef43f..defc347c 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -1277,23 +1277,23 @@ static int do_ensure_isulad_tmpdir_security(const char *isulad_tmp_dir) + char tmp_dir[PATH_MAX] = { 0 }; + char cleanpath[PATH_MAX] = { 0 }; + +- nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmp_dir); +- if (nret < 0 || (size_t)nret >= PATH_MAX) { +- ERROR("Failed to snprintf"); ++ if (realpath(isulad_tmp_dir, cleanpath) == NULL) { ++ ERROR("Failed to get real path for %s", tmp_dir); + return -1; + } + +- if (util_clean_path(tmp_dir, cleanpath, sizeof(cleanpath)) == NULL) { +- ERROR("Failed to clean path for %s", tmp_dir); ++ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", cleanpath); ++ if (nret < 0 || (size_t)nret >= PATH_MAX) { ++ ERROR("Failed to snprintf"); + return -1; + } + +- if (isulad_tmpdir_security_check(cleanpath) == 0) { ++ if (isulad_tmpdir_security_check(tmp_dir) == 0) { + return 0; + } + + INFO("iSulad tmpdir: %s does not meet security requirements, recreate it", isulad_tmp_dir); +- return recreate_tmpdir(cleanpath); ++ return recreate_tmpdir(tmp_dir); + } + + static int ensure_isulad_tmpdir_security() +diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c +index af5f0eee..93571925 100644 +--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c ++++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c +@@ -175,22 +175,22 @@ static void cleanup_path(char *dir) + char tmp_dir[PATH_MAX] = { 0 }; + char cleanpath[PATH_MAX] = { 0 }; + +- nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", dir); +- if (nret < 0 || (size_t)nret >= PATH_MAX) { +- ERROR("Failed to snprintf"); ++ if (realpath(dir, cleanpath) == NULL) { ++ ERROR("get real path for %s failed", tmp_dir); + return; + } + +- if (util_clean_path(tmp_dir, cleanpath, sizeof(cleanpath)) == NULL) { +- ERROR("clean path for %s failed", tmp_dir); ++ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", cleanpath); ++ if (nret < 0 || (size_t)nret >= PATH_MAX) { ++ ERROR("Failed to snprintf"); + return; + } + +- if (!util_dir_exists(cleanpath)) { ++ if (!util_dir_exists(tmp_dir)) { + return; + } + +- nret = util_scan_subdirs(cleanpath, walk_isulad_tmpdir_cb, NULL); ++ nret = util_scan_subdirs(tmp_dir, walk_isulad_tmpdir_cb, NULL); + if (nret != 0) { + ERROR("failed to scan isulad tmp subdirs"); + } +diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c +index 86947c0b..4db68f7c 100644 +--- a/src/utils/tar/util_archive.c ++++ b/src/utils/tar/util_archive.c +@@ -215,18 +215,18 @@ static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, ch + isulad_tmpdir_env = DEFAULT_ISULAD_TMPDIR; + } + +- nret = snprintf(isula_tmpdir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmpdir_env); +- if (nret < 0 || (size_t)nret >= PATH_MAX) { +- ERROR("Failed to snprintf"); ++ if (realpath(isulad_tmpdir_env, cleanpath) == NULL) { ++ ERROR("Failed to get real path for %s", isula_tmpdir); + return -1; + } + +- if (util_clean_path(isula_tmpdir, cleanpath, sizeof(cleanpath)) == NULL) { +- ERROR("clean path for %s failed", isula_tmpdir); ++ nret = snprintf(isula_tmpdir, PATH_MAX, "%s/isulad_tmpdir", cleanpath); ++ if (nret < 0 || (size_t)nret >= PATH_MAX) { ++ ERROR("Failed to snprintf"); + return -1; + } + +- nret = snprintf(tmp_dir, PATH_MAX, "%s/tar-chroot-XXXXXX", cleanpath); ++ nret = snprintf(tmp_dir, PATH_MAX, "%s/tar-chroot-XXXXXX", isula_tmpdir); + if (nret < 0 || (size_t)nret >= PATH_MAX) { + ERROR("Failed to snprintf string"); + return -1; +@@ -244,7 +244,7 @@ static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, ch + } + + // ensure parent dir is exist +- if (util_mkdir_p(cleanpath, ISULAD_TEMP_DIRECTORY_MODE) != 0) { ++ if (util_mkdir_p(isula_tmpdir, ISULAD_TEMP_DIRECTORY_MODE) != 0) { + return -1; + } + +-- +2.25.1 + diff --git a/0192-do-not-cleanup-if-the-directory-does-not-exist.patch b/0192-do-not-cleanup-if-the-directory-does-not-exist.patch new file mode 100644 index 0000000..206ced8 --- /dev/null +++ b/0192-do-not-cleanup-if-the-directory-does-not-exist.patch @@ -0,0 +1,71 @@ +From 622e99675869fb070dfe850715f062f4c9747e2f Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Fri, 26 Jan 2024 12:59:45 +0800 +Subject: [PATCH 192/198] do not cleanup if the directory does not exist + +Signed-off-by: zhongtao +--- + src/cmd/isulad/main.c | 20 ++++++++++++++++++- + .../container/leftover_cleanup/cleanup.c | 13 +++++++++++- + 2 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index defc347c..5fb702b6 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -1276,8 +1276,26 @@ static int do_ensure_isulad_tmpdir_security(const char *isulad_tmp_dir) + int nret; + char tmp_dir[PATH_MAX] = { 0 }; + char cleanpath[PATH_MAX] = { 0 }; ++ char isulad_tmp_cleanpath[PATH_MAX] = { 0 }; + +- if (realpath(isulad_tmp_dir, cleanpath) == NULL) { ++ if (util_clean_path(isulad_tmp_dir, isulad_tmp_cleanpath, sizeof(isulad_tmp_cleanpath)) == NULL) { ++ ERROR("Failed to clean path for %s", isulad_tmp_dir); ++ return -1; ++ } ++ ++ // Determine whether isulad_tmp_dir exists. If it does not exist, create it ++ // to prevent realpath from reporting errors because the folder does not exist. ++ if (!util_dir_exists(isulad_tmp_cleanpath)) { ++ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmp_cleanpath); ++ if (nret < 0 || (size_t)nret >= PATH_MAX) { ++ ERROR("Failed to snprintf"); ++ return -1; ++ } ++ INFO("iSulad tmpdir: %s does not exist, create it", isulad_tmp_dir); ++ return recreate_tmpdir(tmp_dir); ++ } ++ ++ if (realpath(isulad_tmp_cleanpath, cleanpath) == NULL) { + ERROR("Failed to get real path for %s", tmp_dir); + return -1; + } +diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c +index 93571925..c23c901a 100644 +--- a/src/daemon/modules/container/leftover_cleanup/cleanup.c ++++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c +@@ -174,8 +174,19 @@ static void cleanup_path(char *dir) + int nret; + char tmp_dir[PATH_MAX] = { 0 }; + char cleanpath[PATH_MAX] = { 0 }; ++ char dir_cleanpath[PATH_MAX] = { 0 }; + +- if (realpath(dir, cleanpath) == NULL) { ++ if (util_clean_path(dir, dir_cleanpath, sizeof(dir_cleanpath)) == NULL) { ++ ERROR("clean path for %s failed", dir); ++ return; ++ } ++ ++ // If dir does not exist, skip cleanup ++ if (!util_dir_exists(dir_cleanpath)) { ++ return; ++ } ++ ++ if (realpath(dir_cleanpath, cleanpath) == NULL) { + ERROR("get real path for %s failed", tmp_dir); + return; + } +-- +2.25.1 + diff --git a/0193-module-only-deletes-the-temporary-files-it-creates.patch b/0193-module-only-deletes-the-temporary-files-it-creates.patch new file mode 100644 index 0000000..8ad0f1a --- /dev/null +++ b/0193-module-only-deletes-the-temporary-files-it-creates.patch @@ -0,0 +1,151 @@ +From b2e274466fdc3b8cffeba952844bcd2d62bece31 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Sat, 27 Jan 2024 11:16:37 +0800 +Subject: [PATCH 193/198] module only deletes the temporary files it creates + +Signed-off-by: zhongtao +--- + src/cmd/isulad/main.c | 2 +- + src/common/constants.h | 2 +- + src/daemon/modules/image/oci/oci_image.c | 44 +++++++++++++++++-- + src/daemon/modules/image/oci/oci_image.h | 4 ++ + src/daemon/modules/image/oci/oci_load.c | 2 +- + .../modules/image/oci/registry/registry.c | 2 +- + 6 files changed, 48 insertions(+), 8 deletions(-) + +diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c +index 5fb702b6..58319ad0 100644 +--- a/src/cmd/isulad/main.c ++++ b/src/cmd/isulad/main.c +@@ -1258,7 +1258,7 @@ static int isulad_tmpdir_security_check(const char *tmp_dir) + + static int recreate_tmpdir(const char *tmp_dir) + { +- if (util_recursive_rmdir(tmp_dir, 0) != 0) { ++ if (util_path_remove(tmp_dir) != 0) { + ERROR("Failed to remove directory %s", tmp_dir); + return -1; + } +diff --git a/src/common/constants.h b/src/common/constants.h +index 9ea3def7..d6fe6e50 100644 +--- a/src/common/constants.h ++++ b/src/common/constants.h +@@ -50,7 +50,7 @@ extern "C" { + + #define TEMP_DIRECTORY_MODE 0700 + +-#define ISULAD_TEMP_DIRECTORY_MODE 0600 ++#define ISULAD_TEMP_DIRECTORY_MODE 0700 + + #define CONSOLE_FIFO_DIRECTORY_MODE 0770 + +diff --git a/src/daemon/modules/image/oci/oci_image.c b/src/daemon/modules/image/oci/oci_image.c +index f525f621..e3f28051 100644 +--- a/src/daemon/modules/image/oci/oci_image.c ++++ b/src/daemon/modules/image/oci/oci_image.c +@@ -279,10 +279,42 @@ out: + return ret; + } + ++// remove dir that image module created ++// return false when failed to rmdir ++// eg: oci-image-load-XXXXXX && registry-XXXXXX ++static bool remove_image_tmpdir_cb(const char *path_name, const struct dirent *sub_dir, void *context) ++{ ++ int nret = 0; ++ char tmpdir[PATH_MAX] = { 0 }; ++ ++ if (sub_dir == NULL) { ++ return true; ++ } ++ ++ if (!util_has_prefix(sub_dir->d_name, LOAD_TMPDIR_PREFIX) && !util_has_prefix(sub_dir->d_name, REGISTRY_TMPDIR_PREFIX)) { ++ // only remove directory that image module created ++ return true; ++ } ++ ++ nret = snprintf(tmpdir, PATH_MAX, "%s/%s", path_name, sub_dir->d_name); ++ if (nret < 0 || (size_t)nret >= PATH_MAX) { ++ ERROR("Failed to snprintf for %s", sub_dir->d_name); ++ return false; ++ } ++ ++ if (util_recursive_rmdir(tmpdir, 0) != 0) { ++ ERROR("Failed to remove path %s", tmpdir); ++ return false; ++ } ++ ++ return true; ++} ++ + static int recreate_image_tmpdir() + { + char *image_tmp_path = NULL; + int ret = 0; ++ int nret = 0; + + image_tmp_path = oci_get_isulad_tmpdir(g_oci_image_module_data.root_dir); + if (image_tmp_path == NULL) { +@@ -291,10 +323,14 @@ static int recreate_image_tmpdir() + goto out; + } + +- if (util_recursive_rmdir(image_tmp_path, 0)) { +- ERROR("failed to remove directory %s", image_tmp_path); +- ret = -1; +- goto out; ++ // If image_tmp_path exist, cleanup it ++ if (util_dir_exists(image_tmp_path)) { ++ nret = util_scan_subdirs(image_tmp_path, remove_image_tmpdir_cb, NULL); ++ if (nret != 0) { ++ ERROR("Failed to scan isulad tmp subdirs"); ++ ret = -1; ++ goto out; ++ } + } + + if (util_mkdir_p(image_tmp_path, TEMP_DIRECTORY_MODE)) { +diff --git a/src/daemon/modules/image/oci/oci_image.h b/src/daemon/modules/image/oci/oci_image.h +index 3f0a87b7..cb180e1c 100644 +--- a/src/daemon/modules/image/oci/oci_image.h ++++ b/src/daemon/modules/image/oci/oci_image.h +@@ -38,6 +38,10 @@ struct oci_image_module_data { + char **insecure_registries; + size_t insecure_registries_len; + }; ++ ++#define LOAD_TMPDIR_PREFIX "oci-image-load-" ++#define REGISTRY_TMPDIR_PREFIX "registry-" ++ + struct oci_image_module_data *get_oci_image_data(void); + + int oci_init(const isulad_daemon_configs *args); +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index 3fc8cfb8..efffa6f5 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -1044,7 +1044,7 @@ static char *oci_load_path_create() + goto out; + } + +- nret = snprintf(tmp_dir, PATH_MAX, "%s/oci-image-load-XXXXXX", image_tmp_path); ++ nret = snprintf(tmp_dir, PATH_MAX, "%s/%sXXXXXX", image_tmp_path, LOAD_TMPDIR_PREFIX); + if (nret < 0 || (size_t)nret >= sizeof(tmp_dir)) { + ERROR("Path is too long"); + ret = -1; +diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c +index d586d1c7..5265b5ab 100644 +--- a/src/daemon/modules/image/oci/registry/registry.c ++++ b/src/daemon/modules/image/oci/registry/registry.c +@@ -1902,7 +1902,7 @@ static int prepare_pull_desc(pull_descriptor *desc, registry_pull_options *optio + goto out; + } + +- sret = snprintf(blobpath, PATH_MAX, "%s/registry-XXXXXX", image_tmp_path); ++ sret = snprintf(blobpath, PATH_MAX, "%s/%sXXXXXX", image_tmp_path, REGISTRY_TMPDIR_PREFIX); + if (sret < 0 || (size_t)sret >= PATH_MAX) { + ERROR("image tmp work path too long"); + ret = -1; +-- +2.25.1 + diff --git a/0194-ensure-default-spec-has-linux-resources.patch b/0194-ensure-default-spec-has-linux-resources.patch new file mode 100644 index 0000000..c1aa8b7 --- /dev/null +++ b/0194-ensure-default-spec-has-linux-resources.patch @@ -0,0 +1,31 @@ +From 011afc6bcad5638edd2efa15815503631ef7aa69 Mon Sep 17 00:00:00 2001 +From: jikai +Date: Sat, 27 Jan 2024 15:29:36 +0800 +Subject: [PATCH 194/198] ensure default spec has linux resources + +Signed-off-by: jikai +--- + src/daemon/modules/spec/specs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index 781282f5..dd6e413b 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -2382,11 +2382,11 @@ const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container) + int spec_module_init(void) + { + g_rdspec.cont = default_spec(false); +- if (g_rdspec.cont == NULL) { ++ if (g_rdspec.cont == NULL || make_sure_oci_spec_linux_resources(g_rdspec.cont) != 0) { + return -1; + } + g_rdspec.system_cont = default_spec(true); +- if (g_rdspec.system_cont == NULL) { ++ if (g_rdspec.system_cont == NULL || make_sure_oci_spec_linux_resources(g_rdspec.system_cont) != 0) { + return -1; + } + return 0; +-- +2.25.1 + diff --git a/0195-improve-dt-for-oci-device-update.patch b/0195-improve-dt-for-oci-device-update.patch new file mode 100644 index 0000000..3bc8008 --- /dev/null +++ b/0195-improve-dt-for-oci-device-update.patch @@ -0,0 +1,152 @@ +From baa75b2db9a020c0e0552c7236fbbf08ede07f20 Mon Sep 17 00:00:00 2001 +From: jikai +Date: Sat, 27 Jan 2024 15:30:05 +0800 +Subject: [PATCH 195/198] improve dt for oci device update + +Signed-off-by: jikai +--- + .../container_cases/dev_cgroup_rule.sh | 2 +- + test/specs/specs/CMakeLists.txt | 1 + + test/specs/specs/specs_ut.cc | 90 +++++++++++++++++++ + 3 files changed, 92 insertions(+), 1 deletion(-) + +diff --git a/CI/test_cases/container_cases/dev_cgroup_rule.sh b/CI/test_cases/container_cases/dev_cgroup_rule.sh +index 5616d37a..f6a58d15 100755 +--- a/CI/test_cases/container_cases/dev_cgroup_rule.sh ++++ b/CI/test_cases/container_cases/dev_cgroup_rule.sh +@@ -60,7 +60,7 @@ function test_cpu_dev_cgoup_rule_spec() + def_cid=$(isula run -tid --runtime $runtime -m 10m $image /bin/sh) + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - run container failed" && ((ret++)) + cp $default_config $default_config_bak +- sed -i '/"linux": {/a \ \t\t"devices": [\n\t\t{\n\t\t\t"type": "c",\n\t\t\t"path": "\/dev\/testABC",\n\t\t\t"major": 88,\n\t\t\t"minor": 88\n\t\t}\n\t\t],' $default_config ++ sed -i '/"linux": {/a \ \t\t"devices": [\n\t\t{\n\t\t\t"type": "c",\n\t\t\t"path": "\/dev\/testA",\n\t\t\t"major": 88,\n\t\t\t"minor": 88\n\t\t}\n\t\t],' $default_config + stop_isulad_without_valgrind + start_isulad_with_valgrind --cgroup-parent $test_cgroup_parent + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) +diff --git a/test/specs/specs/CMakeLists.txt b/test/specs/specs/CMakeLists.txt +index c4b36c5f..22505a97 100644 +--- a/test/specs/specs/CMakeLists.txt ++++ b/test/specs/specs/CMakeLists.txt +@@ -81,6 +81,7 @@ target_include_directories(${EXE} PUBLIC + ${CMAKE_CURRENT_SOURCE_DIR}/../../../test/mocks + ) + ++set_target_properties(${EXE} PROPERTIES LINK_FLAGS "-Wl,--wrap,util_common_calloc_s -Wl,--wrap,util_smart_calloc_s -Wl,--wrap,get_readonly_default_oci_spec") + target_link_libraries(${EXE} ${GTEST_BOTH_LIBRARIES} ${GMOCK_LIBRARY} ${GMOCK_MAIN_LIBRARY} ${CMAKE_THREAD_LIBS_INIT} ${ISULA_LIBUTILS_LIBRARY} -lgrpc++ -lprotobuf -lcrypto -lyajl -lz) + add_test(NAME ${EXE} COMMAND ${EXE} --gtest_output=xml:${EXE}-Results.xml) + set_tests_properties(${EXE} PROPERTIES TIMEOUT 120) +diff --git a/test/specs/specs/specs_ut.cc b/test/specs/specs/specs_ut.cc +index a2bd3890..8fbaa337 100644 +--- a/test/specs/specs/specs_ut.cc ++++ b/test/specs/specs/specs_ut.cc +@@ -19,6 +19,7 @@ + #include "mock.h" + #include "isula_libutils/oci_runtime_spec.h" + #include "specs_api.h" ++#include "specs_mount.h" + #include "specs_namespace.h" + #include "isula_libutils/host_config.h" + #include "isula_libutils/container_config.h" +@@ -41,6 +42,46 @@ using ::testing::_; + + using namespace std; + ++static int g_malloc_count = 0; ++static int g_malloc_match = 1; ++ ++extern "C" { ++ DECLARE_WRAPPER_V(util_common_calloc_s, void *, (size_t size)); ++ DEFINE_WRAPPER_V(util_common_calloc_s, void *, (size_t size), (size)); ++ ++ DECLARE_WRAPPER_V(util_smart_calloc_s, void *, (size_t size, size_t len)); ++ DEFINE_WRAPPER_V(util_smart_calloc_s, void *, (size_t size, size_t len), (size, len)); ++ ++ DECLARE_WRAPPER(get_readonly_default_oci_spec, const oci_runtime_spec *, (bool system_container)); ++ DEFINE_WRAPPER(get_readonly_default_oci_spec, const oci_runtime_spec *, (bool system_container), (system_container)); ++} ++ ++void *util_common_calloc_s_fail(size_t size) ++{ ++ g_malloc_count++; ++ ++ if (g_malloc_count == g_malloc_match) { ++ g_malloc_match++; ++ g_malloc_count = 0; ++ return nullptr; ++ } else { ++ return __real_util_common_calloc_s(size); ++ } ++} ++ ++void *util_smart_calloc_s_fail(size_t size, size_t len) ++{ ++ g_malloc_count++; ++ ++ if (g_malloc_count == g_malloc_match) { ++ g_malloc_match++; ++ g_malloc_count = 0; ++ return nullptr; ++ } else { ++ return __real_util_smart_calloc_s(size, len); ++ } ++} ++ + class SpecsUnitTest : public testing::Test { + public: + void SetUp() override +@@ -324,3 +365,52 @@ TEST_F(SpecsUnitTest, test_merge_container_cgroups_path_5) + + testing::Mock::VerifyAndClearExpectations(&m_isulad_conf); + } ++ ++TEST_F(SpecsUnitTest, SpecsUnitTest_test_update_devcies_for_oci_spec) ++{ ++ parser_error err = nullptr; ++ oci_runtime_spec *readonly_spec = oci_runtime_spec_parse_data("{\"ociVersion\": \"1.0.1\", \"linux\": \ ++ { \"devices\": \ ++ [ { \"type\": \"c\", \"path\": \"/dev/testA\", \ ++ \"fileMode\": 8612, \"major\": 99, \"minor\": 99} ], \ ++ \"resources\": { \"devices\": [ { \"allow\": false, \ ++ \"type\": \"a\", \"major\": -1, \ ++ \"minor\": -1, \"access\": \"rwm\" } ] } } }", nullptr, &err); ++ ASSERT_NE(readonly_spec, nullptr); ++ free(err); ++ err = nullptr; ++ host_config *hostspec = static_cast(util_common_calloc_s(sizeof(host_config))); ++ ASSERT_NE(hostspec, nullptr); ++ ++ oci_runtime_spec *ocispec = oci_runtime_spec_parse_data("{\"ociVersion\": \"1.0.1\", \"linux\": \ ++ { \"devices\": [ ], \ ++ \"resources\": { \"devices\": [ ] } } }", nullptr, &err); ++ ASSERT_NE(ocispec, nullptr); ++ ++ MOCK_SET(get_readonly_default_oci_spec, readonly_spec); ++ MOCK_SET_V(util_smart_calloc_s, util_smart_calloc_s_fail); ++ MOCK_SET_V(util_common_calloc_s, util_common_calloc_s_fail); ++ ++ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), -1); ++ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), -1); ++ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), -1); ++ free(ocispec->linux->devices[0]); ++ free(ocispec->linux->devices); ++ ocispec->linux->devices = NULL; ++ ocispec->linux->devices_len = 0; ++ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), -1); ++ free(ocispec->linux->devices[0]); ++ free(ocispec->linux->devices); ++ ocispec->linux->devices = NULL; ++ ocispec->linux->devices_len = 0; ++ ASSERT_EQ(update_devcies_for_oci_spec(ocispec, hostspec), 0); ++ ++ MOCK_CLEAR(get_readonly_default_oci_spec); ++ MOCK_CLEAR(util_smart_calloc_s); ++ MOCK_CLEAR(util_common_calloc_s); ++ ++ free_oci_runtime_spec(readonly_spec); ++ free_oci_runtime_spec(ocispec); ++ free_host_config(hostspec); ++ free(err); ++} +-- +2.25.1 + diff --git a/0196-skip-devmapper-ut.patch b/0196-skip-devmapper-ut.patch new file mode 100644 index 0000000..e8a1d67 --- /dev/null +++ b/0196-skip-devmapper-ut.patch @@ -0,0 +1,26 @@ +From 0112fee746125da97ec3aa7d532545ec93aa821b Mon Sep 17 00:00:00 2001 +From: jikai +Date: Tue, 30 Jan 2024 12:31:37 +0800 +Subject: [PATCH 196/198] skip devmapper ut + +Signed-off-by: jikai +--- + CI/make-and-install.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CI/make-and-install.sh b/CI/make-and-install.sh +index 08cc4520..819f2752 100755 +--- a/CI/make-and-install.sh ++++ b/CI/make-and-install.sh +@@ -75,7 +75,7 @@ mkdir build && cd build + cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_UT=ON -DENABLE_SHIM_V2=ON .. + make -j $(nproc) + make install +-ctest -T memcheck --output-on-failure ++ctest -E "driver_devmapper_ut" -T memcheck --output-on-failure + if [[ $? -ne 0 ]]; then + exit 1 + fi +-- +2.25.1 + diff --git a/0197-bugfix-for-cont-restart-when-iSulad-drops-original-d.patch b/0197-bugfix-for-cont-restart-when-iSulad-drops-original-d.patch new file mode 100644 index 0000000..ba048e0 --- /dev/null +++ b/0197-bugfix-for-cont-restart-when-iSulad-drops-original-d.patch @@ -0,0 +1,136 @@ +From 0c19d0c481428fc91d832bd47846eff203005052 Mon Sep 17 00:00:00 2001 +From: jikai +Date: Tue, 30 Jan 2024 13:16:35 +0800 +Subject: [PATCH 197/198] bugfix for cont restart when iSulad drops original + default-ulimit + +Signed-off-by: jikai +--- + src/daemon/modules/api/specs_api.h | 4 ++ + .../modules/service/service_container.c | 14 ++---- + src/daemon/modules/spec/specs.c | 46 +++++++++++++++++++ + 3 files changed, 54 insertions(+), 10 deletions(-) + +diff --git a/src/daemon/modules/api/specs_api.h b/src/daemon/modules/api/specs_api.h +index 1a5a6ecc..458e3806 100644 +--- a/src/daemon/modules/api/specs_api.h ++++ b/src/daemon/modules/api/specs_api.h +@@ -42,6 +42,10 @@ int merge_share_namespace(oci_runtime_spec *oci_spec, const host_config *host_sp + + int update_spec_annotations(oci_runtime_spec *oci_spec, container_config *container_spec, host_config *host_spec); + ++int update_oci_container_cgroups_path(const char *id, oci_runtime_spec *oci_spec, const host_config *host_spec); ++ ++int update_oci_ulimit(oci_runtime_spec *oci_spec, const host_config *host_spec); ++ + const oci_runtime_spec *get_readonly_default_oci_spec(bool system_container); + + int spec_module_init(void); +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 534a0a1d..bad2a9e1 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -685,7 +685,6 @@ out: + + static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, container_config *container_spec, host_config *hostconfig) + { +- char *cgroup_parent = NULL; + int ret; + + // Renew annotations for oci spec, cgroup path only, +@@ -697,16 +696,10 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai + } + + // If isulad daemon cgroup parent updated, we should update this config into oci spec +- cgroup_parent = merge_container_cgroups_path(id, hostconfig); +- if (cgroup_parent == NULL) { ++ ret = update_oci_container_cgroups_path(id, oci_spec, hostconfig); ++ if (ret < 0) { + return -1; + } +- if (oci_spec->linux->cgroups_path != NULL && strcmp(oci_spec->linux->cgroups_path, cgroup_parent) != 0) { +- free(oci_spec->linux->cgroups_path); +- oci_spec->linux->cgroups_path = cgroup_parent; +- cgroup_parent = NULL; +- } +- free(cgroup_parent); + + // For Linux.Resources, isula update will save changes into oci spec; + // so we just skip it; +@@ -719,7 +712,8 @@ static int do_oci_spec_update(const char *id, oci_runtime_spec *oci_spec, contai + } + + // If isulad daemon ulimit updated, we should update this config into oci spec. +- if (merge_global_ulimit(oci_spec) != 0) { ++ ret = update_oci_ulimit(oci_spec, hostconfig); ++ if (ret < 0) { + return -1; + } + +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index dd6e413b..d2088a8e 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -2165,6 +2165,28 @@ char *merge_container_cgroups_path(const char *id, const host_config *host_spec) + return ret; + } + ++int update_oci_container_cgroups_path(const char *id, oci_runtime_spec *oci_spec, const host_config *hostconfig) ++{ ++ if (oci_spec == NULL || oci_spec->linux == NULL) { ++ ERROR("Invalid arguments"); ++ return -1; ++ } ++ ++ char *cgroup_parent = merge_container_cgroups_path(id, hostconfig); ++ if (cgroup_parent == NULL) { ++ return -1; ++ } ++ ++ if (oci_spec->linux->cgroups_path != NULL && strcmp(oci_spec->linux->cgroups_path, cgroup_parent) != 0) { ++ free(oci_spec->linux->cgroups_path); ++ oci_spec->linux->cgroups_path = cgroup_parent; ++ cgroup_parent = NULL; ++ } ++ free(cgroup_parent); ++ ++ return 0; ++} ++ + static int merge_oci_cgroups_path(const char *id, oci_runtime_spec *oci_spec, const host_config *host_spec) + { + if (id == NULL || oci_spec == NULL || host_spec == NULL) { +@@ -2309,6 +2331,30 @@ out: + return ret; + } + ++int update_oci_ulimit(oci_runtime_spec *oci_spec, const host_config *hostconfig) { ++ if (oci_spec == NULL || hostconfig == NULL) { ++ ERROR("Invalid arguments"); ++ return -1; ++ } ++ ++ size_t i = 0; ++ if (oci_spec->process != NULL) { ++ for (i = 0; i < oci_spec->process->rlimits_len; i++) { ++ free_defs_process_rlimits_element(oci_spec->process->rlimits[i]); ++ oci_spec->process->rlimits[i] = NULL; ++ } ++ free(oci_spec->process->rlimits); ++ oci_spec->process->rlimits = NULL; ++ oci_spec->process->rlimits_len = 0; ++ } ++ ++ if (merge_conf_ulimits(oci_spec, hostconfig) != 0 || merge_global_ulimit(oci_spec) != 0) { ++ return -1; ++ } ++ ++ return 0; ++} ++ + /* read oci config */ + oci_runtime_spec *load_oci_config(const char *rootpath, const char *name) + { +-- +2.25.1 + diff --git a/0198-improve-dt-for-default-ulimit-change.patch b/0198-improve-dt-for-default-ulimit-change.patch new file mode 100644 index 0000000..e19f967 --- /dev/null +++ b/0198-improve-dt-for-default-ulimit-change.patch @@ -0,0 +1,145 @@ +From 507e8dee9c6467325d46faef6dc76900733ea85b Mon Sep 17 00:00:00 2001 +From: jikai +Date: Tue, 30 Jan 2024 13:21:14 +0800 +Subject: [PATCH 198/198] improve dt for default ulimit change + +Signed-off-by: jikai +--- + CI/test_cases/container_cases/ulimit.sh | 19 ++++++ + test/specs/specs/specs_ut.cc | 80 ++++++++++++++++++++++++- + 2 files changed, 98 insertions(+), 1 deletion(-) + +diff --git a/CI/test_cases/container_cases/ulimit.sh b/CI/test_cases/container_cases/ulimit.sh +index f823dc1c..41cdcece 100755 +--- a/CI/test_cases/container_cases/ulimit.sh ++++ b/CI/test_cases/container_cases/ulimit.sh +@@ -49,9 +49,28 @@ function test_ulimit() + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart failed" && ((ret++)) + cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "RLIMIT_" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check rlimit failed after restart" && ((ret++)) ++ ++ check_valgrind_log ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ ++ start_isulad_with_valgrind ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ ++ # if default ulimit of isulad changed, isula start should do update ulimit of oci spec ++ isula restart -t 0 $cid ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - restart failed" && ((ret++)) ++ cat ${RUNTIME_ROOT_PATH}/${runtime}/$cid/config.json | grep "RLIMIT_" ++ [[ $? -eq 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check rlimit failed after restart" && ((ret++)) ++ + isula rm -f $cid + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - rm container failed" && ((ret++)) + ++ check_valgrind_log ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) ++ ++ start_isulad_with_valgrind --default-ulimit nproc=2048:4096 --default-ulimit nproc=2048:8192 --default-ulimit nofile=1024:4096 ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) ++ + isula run --ulimit nproc= $image --runtime $runtime /bin/sh > $ulimitlog 2>&1 + cat $ulimitlog | grep "delimiter '=' can't be the first or the last character" + [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - check failed" && ((ret++)) +diff --git a/test/specs/specs/specs_ut.cc b/test/specs/specs/specs_ut.cc +index 8fbaa337..d5105f43 100644 +--- a/test/specs/specs/specs_ut.cc ++++ b/test/specs/specs/specs_ut.cc +@@ -273,6 +273,32 @@ char *invoke_conf_get_isulad_cgroup_parent() + return util_strdup_s("/var/lib/isulad/engines/lcr"); + } + ++int invoke_conf_get_isulad_default_ulimit_empty(host_config_ulimits_element ***ulimit) ++{ ++ if (ulimit == nullptr) { ++ return -1; ++ } ++ return 0; ++} ++ ++int invoke_conf_get_isulad_default_ulimit(host_config_ulimits_element ***ulimit) ++{ ++ if (ulimit == nullptr) { ++ return -1; ++ } ++ host_config_ulimits_element *ele = static_cast(util_common_calloc_s(sizeof(host_config_ulimits_element))); ++ if (ele == nullptr) { ++ return -1; ++ } ++ ele->hard = 8192; ++ ele->soft = 2048; ++ ele->name = util_strdup_s("NPROC"); ++ ++ int ret = ulimit_array_append(ulimit, ele, ulimit_array_len(*ulimit)); ++ free_host_config_ulimits_element(ele); ++ return ret; ++} ++ + TEST_F(SpecsUnitTest, test_merge_container_cgroups_path_1) + { + ASSERT_EQ(merge_container_cgroups_path(nullptr, nullptr), nullptr); +@@ -366,7 +392,59 @@ TEST_F(SpecsUnitTest, test_merge_container_cgroups_path_5) + testing::Mock::VerifyAndClearExpectations(&m_isulad_conf); + } + +-TEST_F(SpecsUnitTest, SpecsUnitTest_test_update_devcies_for_oci_spec) ++TEST_F(SpecsUnitTest, test_update_oci_container_cgroups_path) ++{ ++ parser_error err = nullptr; ++ host_config *hostspec = static_cast(util_common_calloc_s(sizeof(host_config))); ++ ASSERT_NE(hostspec, nullptr); ++ ++ oci_runtime_spec *ocispec = oci_runtime_spec_parse_data("{\"ociVersion\": \"1.0.1\", \"linux\": \ ++ {} }", nullptr, &err); ++ ASSERT_NE(ocispec, nullptr); ++ ++ ocispec->linux->cgroups_path = util_strdup_s("/isulad"); ++ ASSERT_EQ(update_oci_container_cgroups_path("abcdef", nullptr, nullptr), -1); ++ EXPECT_CALL(m_isulad_conf, GetCgroupParent()).WillRepeatedly(Invoke(invoke_conf_get_isulad_cgroup_parent)); ++ ASSERT_EQ(update_oci_container_cgroups_path("abcdef", ocispec, hostspec), 0); ++ ASSERT_STREQ(ocispec->linux->cgroups_path, "/var/lib/isulad/engines/lcr/abcdef"); ++ ++ free(err); ++ free_host_config(hostspec); ++ free_oci_runtime_spec(ocispec); ++ ++ testing::Mock::VerifyAndClearExpectations(&m_isulad_conf); ++} ++ ++TEST_F(SpecsUnitTest, test_update_oci_ulimit) ++{ ++ parser_error err = nullptr; ++ host_config *hostspec = static_cast(util_common_calloc_s(sizeof(host_config))); ++ ASSERT_NE(hostspec, nullptr); ++ ++ char *oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ oci_runtime_spec *ocispec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_NE(ocispec, nullptr); ++ ++ ASSERT_EQ(update_oci_ulimit(nullptr, nullptr), -1); ++ EXPECT_CALL(m_isulad_conf, GetUlimit(_)).WillRepeatedly(Invoke(invoke_conf_get_isulad_default_ulimit)); ++ ASSERT_EQ(update_oci_ulimit(ocispec, hostspec), 0); ++ ASSERT_EQ(ocispec->process->rlimits_len, 1); ++ ASSERT_EQ(ocispec->process->rlimits[0]->hard, 8192); ++ ASSERT_EQ(ocispec->process->rlimits[0]->soft, 2048); ++ ASSERT_STREQ(ocispec->process->rlimits[0]->type, "RLIMIT_NPROC"); ++ EXPECT_CALL(m_isulad_conf, GetUlimit(_)).WillRepeatedly(Invoke(invoke_conf_get_isulad_default_ulimit_empty)); ++ ASSERT_EQ(update_oci_ulimit(ocispec, hostspec), 0); ++ ASSERT_EQ(ocispec->process->rlimits_len, 0); ++ ++ free(err); ++ free(oci_config_file); ++ free_host_config(hostspec); ++ free_oci_runtime_spec(ocispec); ++ testing::Mock::VerifyAndClearExpectations(&m_isulad_conf); ++} ++ ++TEST_F(SpecsUnitTest, test_update_devcies_for_oci_spec) + { + parser_error err = nullptr; + oci_runtime_spec *readonly_spec = oci_runtime_spec_parse_data("{\"ociVersion\": \"1.0.1\", \"linux\": \ +-- +2.25.1 + diff --git a/iSulad.spec b/iSulad.spec index aaf57a3..bb3f2cf 100644 --- a/iSulad.spec +++ b/iSulad.spec @@ -1,5 +1,5 @@ %global _version 2.0.18 -%global _release 15 +%global _release 16 %global is_systemd 1 %global enable_shimv2 1 %global is_embedded 1 @@ -194,6 +194,23 @@ Patch0178: 0178-remove-var-in-coverage-and-fix-build-test-remove.patch Patch0179: 0179-code-improve-for-oci_rmi.patch Patch0180: 0180-verify-name-and-digest-consistency.patch Patch0181: 0181-bugfix-for-resort_image_names.patch +Patch0182: 0182-fix-stopp-removes-cont-error-remove-inspect-error-lo.patch +Patch0183: 0183-check-if-shim-log.json-is-a-symlink.patch +Patch0184: 0184-bugfix-ignore-some-unsupported-file-types-when-archi.patch +Patch0185: 0185-iSulad-restart-isuald-when-upgrade-active-isulad.patch +Patch0186: 0186-refactor-update-possible-changed-resources-for-oci-s.patch +Patch0187: 0187-add-CI-testcase-for-update-oci-spec-in-start-op.patch +Patch0188: 0188-update-annotations-and-add-ci-cases.patch +Patch0189: 0189-do-not-update-rootfs-mnt-and-umask-annotations.patch +Patch0190: 0190-update-rootfs.mnt-in-container-spec-for-system-conta.patch +Patch0191: 0191-bugfix-for-mount-point-remains-under-special-circums.patch +Patch0192: 0192-do-not-cleanup-if-the-directory-does-not-exist.patch +Patch0193: 0193-module-only-deletes-the-temporary-files-it-creates.patch +Patch0194: 0194-ensure-default-spec-has-linux-resources.patch +Patch0195: 0195-improve-dt-for-oci-device-update.patch +Patch0196: 0196-skip-devmapper-ut.patch +Patch0197: 0197-bugfix-for-cont-restart-when-iSulad-drops-original-d.patch +Patch0198: 0198-improve-dt-for-default-ulimit-change.patch %ifarch x86_64 aarch64 Provides: libhttpclient.so()(64bit) @@ -438,6 +455,12 @@ fi %endif %changelog +* Tue Jan 30 2024 zhongtao - 2.0.18-16 +- Type: bugfix +- ID: NA +- SUG: NA +- DESC: upgrade from upstream + * Fri Dec 29 2023 yangjiaqi - 2.0.18-15 - Type: bugfix - ID: NA