kata-containers: remove ctty and add CVE patch and update make flag

Signed-off-by: jikui <jikui2@huawei.com>
2021-04-27 19:47:41 +08:00 · 2021-04-27 19:47:41 +08:00 · 7cc86e49c7
commit 7cc86e49c7
parent 5053f5a1f6
13 changed files with 331 additions and 0 deletions
--- a/agent/patches/0019-kata-agent-modify-make-flags.patch
+++ b/agent/patches/0019-kata-agent-modify-make-flags.patch
@ -0,0 +1,29 @@
+From 1c7aaafa7b8691ea6ed6c910455567b36bb6f5ff Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:25:49 +0800
+Subject: [PATCH] kata-agent: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index e4fd243..26fe898 100644
+--- a/Makefile
+++ b/Makefile
+@@ -101,6 +101,9 @@ AGENT_IMAGE := katacontainers/agent-dev
+ AGENT_TAG := $(if $(COMMIT_NO_SHORT),$(COMMIT_NO_SHORT),dev)
+ 
+ $(TARGET): $(GENERATED_FILES) $(SOURCES) $(VERSION_FILE)
+	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -tags "$(BUILDTAGS)" -o $@ \
+ 		-ldflags "-X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)"
+ 
+-- 
+2.25.1
+
--- a/agent/patches/0020-kata-agent-add-linkmode-to-resolve-build-error.patch
+++ b/agent/patches/0020-kata-agent-add-linkmode-to-resolve-build-error.patch
@ -0,0 +1,37 @@
+From d98995f25c3a839f25590478bef37d2a456593a3 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Mon, 22 Mar 2021 17:07:37 +0800
+Subject: [PATCH] kata-agent: add linkmode to resolve build error
+
+reason: add linkmode to resolve build error
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 26fe898..5401c69 100644
+--- a/Makefile
+++ b/Makefile
+@@ -16,7 +16,7 @@ INIT := no
+ TRACE := no
+ 
+ # Set to "yes“ if binary stripping is needed.
+-STRIP := no
+STRIP := yes
+ 
+ # Tracing cannot currently be supported when running the agent as PID 1 since
+ # the tracing requires additional services to be started _before_ the agent
+@@ -105,7 +105,7 @@ $(TARGET): $(GENERATED_FILES) $(SOURCES) $(VERSION_FILE)
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -tags "$(BUILDTAGS)" -o $@ \
+-		-ldflags "-X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)"
+		-ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)"
+ 
+ install: $(TARGET)
+ 	install -D $(TARGET) $(DESTDIR)$(BINDIR)/$(TARGET)
+-- 
+2.25.1
+
--- a/agent/series.conf
+++ b/agent/series.conf
@ -16,3 +16,5 @@
 0016-clock-synchronizes-clock-info-with-proxy.patch
 0017-agent-add-support-of-new-sandbox-StratoVirt.patch
 0018-kata-agent-update-nic-in-guest.patch
+0019-kata-agent-modify-make-flags.patch
+0020-kata-agent-add-linkmode-to-resolve-build-error.patch
--- a/proxy/patches/0002-kata-proxy-modify-make-flags.patch
+++ b/proxy/patches/0002-kata-proxy-modify-make-flags.patch
@ -0,0 +1,29 @@
+From 2c5cbf2ca9624d5443ad334a8337cb58d57573b2 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:34:07 +0800
+Subject: [PATCH] kata-proxy: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index a1b3eee..07e9ba8 100644
+--- a/Makefile
+++ b/Makefile
+@@ -33,6 +33,9 @@ ifeq ($(STRIP),yes)
+ endif
+ 
+ $(TARGET): $(SOURCES) $(VERSION_FILE)
+	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+-- 
+2.25.1
+
--- a/proxy/patches/0003-kata-proxy-add-linkmode-to-resolve-build-error.patch
+++ b/proxy/patches/0003-kata-proxy-add-linkmode-to-resolve-build-error.patch
@ -0,0 +1,37 @@
+From 5c4d7bcbef7d213009f1c63acf53319e230e06e2 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Mon, 22 Mar 2021 17:11:48 +0800
+Subject: [PATCH] kata-proxy: add linkmode to resolve build error
+
+reason: add linkmode to resolve build error
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 07e9ba8..b931dd3 100644
+--- a/Makefile
+++ b/Makefile
+@@ -5,7 +5,7 @@
+ #
+ 
+ # Set to "yes“ if binary stripping is needed.
+-STRIP := no
+STRIP := yes
+ 
+ DESTDIR :=
+ ifeq ($(PREFIX),)
+@@ -36,7 +36,7 @@ $(TARGET): $(SOURCES) $(VERSION_FILE)
+ 	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+	go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+ 	bash .ci/go-test.sh
+-- 
+2.25.1
+
--- a/proxy/series.conf
+++ b/proxy/series.conf
@ -1 +1,3 @@
 0001-clock-synchronizes-clock-info-to-agent.patch
+0002-kata-proxy-modify-make-flags.patch
+0003-kata-proxy-add-linkmode-to-resolve-build-error.patch
--- a/runtime/patches/0068-kata-runtime-modify-make-flags.patch
+++ b/runtime/patches/0068-kata-runtime-modify-make-flags.patch
@ -0,0 +1,45 @@
+From 883dac2d9cd4daea88a9ac0325df02d1de578168 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:48:11 +0800
+Subject: [PATCH] kata-runtime: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index b62e64b..6b9f764 100644
+--- a/Makefile
+++ b/Makefile
+@@ -521,7 +521,11 @@ containerd-shim-v2: $(SHIMV2_OUTPUT)
+ netmon: $(NETMON_TARGET_OUTPUT)
+ 
+ $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION
+-	$(QUIET_BUILD)(cd $(NETMON_DIR) && go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
+	$(QUIET_BUILD)(cd $(NETMON_DIR) && \
+	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
+ 
+ runtime: $(TARGET_OUTPUT) $(CONFIGS)
+ .DEFAULT: default
+@@ -559,7 +563,11 @@ GENERATED_FILES += $(CLI_DIR)/config-generated.go
+ GENERATED_FILES += pkg/katautils/config-settings.go
+ 
+ $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary
+-	$(QUIET_BUILD)(cd $(CLI_DIR) && go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
+	$(QUIET_BUILD)(cd $(CLI_DIR) && \
+	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+	go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
+ 
+ $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
+ 	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) -i -o $@ .)
+-- 
+2.25.1
+
--- a/runtime/patches/0069-kata-runtime-add-linkmode-to-resolve-build-error.patch
+++ b/runtime/patches/0069-kata-runtime-add-linkmode-to-resolve-build-error.patch
@ -0,0 +1,48 @@
+From 22678612f668274ab0b37175517401039e17ff00 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Mon, 22 Mar 2021 17:18:14 +0800
+Subject: [PATCH] kata-runtime: add linkmode to resolve build error
+
+reason: add linkmode to resolve build error
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 6b9f764..f7a9311 100644
+--- a/Makefile
+++ b/Makefile
+@@ -490,8 +490,9 @@ endif
+ BUILDFLAGS := -buildmode=pie ${BUILDTAGS}
+ 
+ # whether stipping the binary
+STRIP=yes
+ ifeq ($(STRIP),yes)
+-       KATA_LDFLAGS := -ldflags "-w -s"
+	KATA_LDFLAGS := -ldflags "-w -s"
+ endif
+ 
+ # Return non-empty string if specified directory exists
+@@ -525,7 +526,7 @@ $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION
+ 	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
+	go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION) -w -s")
+ 
+ runtime: $(TARGET_OUTPUT) $(CONFIGS)
+ .DEFAULT: default
+@@ -567,7 +568,7 @@ $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary
+ 	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
+	go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external" .)
+ 
+ $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
+ 	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) -i -o $@ .)
+-- 
+2.25.1
+
--- a/runtime/patches/0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch
+++ b/runtime/patches/0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch
@ -0,0 +1,29 @@
+From 6d684a77e027e8103345cab768860533705d5ce4 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Tue, 23 Mar 2021 17:17:00 +0800
+Subject: [PATCH] kata-runtime: remove ctty to resolve build failed
+
+reason: remove ctty to resolve build failed
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ virtcontainers/shim.go | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/virtcontainers/shim.go b/virtcontainers/shim.go
+index b192b25..08097f0 100644
+--- a/virtcontainers/shim.go
+++ b/virtcontainers/shim.go
+@@ -219,9 +219,6 @@ func startShim(args []string, params ShimParams) (int, error) {
+ 		cmd.Stderr = f
+ 		// Create Session
+ 		cmd.SysProcAttr.Setsid = true
+-		// Set Controlling terminal to Ctty
+-		cmd.SysProcAttr.Setctty = true
+-		cmd.SysProcAttr.Ctty = int(f.Fd())
+ 	}
+ 	defer func() {
+ 		if f != nil {
+-- 
+2.25.1
+
--- a/runtime/series.conf
+++ b/runtime/series.conf
@ -63,3 +63,8 @@
 0063-kata-runtime-fix-get-sandbox-cpu-resources-problem.patch
 0064-runtime-add-support-for-stratovirt-of-kata-check-cli.patch
 0065-runtime-fixup-that-the-getPids-function-returns-pid-.patch
+0066-CVE-2020-28914-1.patch
+0067-CVE-2020-28914-2.patch
+0068-kata-runtime-modify-make-flags.patch
+0069-kata-runtime-add-linkmode-to-resolve-build-error.patch
+0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch
--- a/shim/patches/0002-kata-shim-modify-make-flags.patch
+++ b/shim/patches/0002-kata-shim-modify-make-flags.patch
@ -0,0 +1,29 @@
+From 0a4adf4ffafd31820c471353757de2a6e2260e39 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:52:27 +0800
+Subject: [PATCH] kata-shim: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index 5cba637..b244053 100644
+--- a/Makefile
+++ b/Makefile
+@@ -33,6 +33,9 @@ ifeq ($(STRIP),yes)
+ endif
+ 
+ $(TARGET): $(SOURCES) $(VERSION_FILE)
+	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+-- 
+2.25.1
+
--- a/shim/patches/0003-kata-shim-add-linkmode-to-resolve-build-error.patch
+++ b/shim/patches/0003-kata-shim-add-linkmode-to-resolve-build-error.patch
@ -0,0 +1,37 @@
+From 68290317bc35b3420506f0e25d7fccbdb9f88f5f Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Mon, 22 Mar 2021 17:21:10 +0800
+Subject: [PATCH] kata-shim: add linkmode to resolve build error
+
+reason: add linkmode to resolve build error
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index b244053..70d4a8d 100644
+--- a/Makefile
+++ b/Makefile
+@@ -5,7 +5,7 @@
+ #
+ 
+ # Set to "yes“ if binary stripping is needed.
+-STRIP := no
+STRIP := yes
+ 
+ DESTDIR :=
+ ifeq ($(PREFIX),)
+@@ -36,7 +36,7 @@ $(TARGET): $(SOURCES) $(VERSION_FILE)
+ 	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+	go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+ 	@echo "Go tests using faketty"
+-- 
+2.25.1
+
--- a/shim/series.conf
+++ b/shim/series.conf
@ -1 +1,3 @@
 0001-kata-shim-fix-kata-shim-process-wait-long-tim.patch
+0002-kata-shim-modify-make-flags.patch
+0003-kata-shim-add-linkmode-to-resolve-build-error.patch