runc:fix tmpfs mount bug and blkio do not set bug

(cherry picked from commit 2a254aad97ade8f00fa5dac6a6a5d853d88c10b0)
2023-03-29 14:58:09 +08:00 · 2023-03-29 14:58:09 +08:00 · a7aba29ea2
commit a7aba29ea2
parent 121867a9e5
4 changed files with 101 additions and 1 deletions
--- a/patch/0135-runc-libct-cg-fs-blkio-do-not-set-weight-0.patch
+++ b/patch/0135-runc-libct-cg-fs-blkio-do-not-set-weight-0.patch
@ -0,0 +1,50 @@
+From 535863ca83bef6f294780c02633fa50dc563672a Mon Sep 17 00:00:00 2001
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Sun, 13 Jun 2021 18:03:22 -0700
+Subject: [PATCH] libct/cg/fs/blkio: do not set weight == 0
+
+For per-device weight, you can set weight and/or leaf weight.
+The problem is, with the recent fix to use BFQ on cgroup v1,
+if per-device weights are set, the code tries to set device
+weight to blkio.bfq.weight, and the leaf weight to
+blkio.leaf_weight_device. The latter file does not exist on
+kernels v5.0, meaning one can not set any per-device weights
+at all.
+
+The fix is to only set weights if they are non-zero (i.e. set).
+
+The test case will come in a following commit.
+
+Fixes: 6339d8a0dd7a72
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+---
+ libcontainer/cgroups/fs/blkio.go | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/libcontainer/cgroups/fs/blkio.go b/libcontainer/cgroups/fs/blkio.go
+index a142cb99..ea2cf647 100644
+--- a/libcontainer/cgroups/fs/blkio.go
+++ b/libcontainer/cgroups/fs/blkio.go
+@@ -42,11 +42,15 @@ func (s *BlkioGroup) Set(path string, cgroup *configs.Cgroup) error {
+ 		}
+ 	}
+ 	for _, wd := range cgroup.Resources.BlkioWeightDevice {
+-		if err := writeFile(path, "blkio.weight_device", wd.WeightString()); err != nil {
+-			return err
+		if wd.Weight != 0 {
+			if err := writeFile(path, "blkio.weight_device", wd.WeightString()); err != nil {
+				return err
+			}
+ 		}
+-		if err := writeFile(path, "blkio.leaf_weight_device", wd.LeafWeightString()); err != nil {
+-			return err
+		if wd.LeafWeight != 0 {
+			if err := writeFile(path, "blkio.leaf_weight_device", wd.LeafWeightString()); err != nil {
+				return err
+			}
+ 		}
+ 	}
+ 	for _, td := range cgroup.Resources.BlkioThrottleReadBpsDevice {
+-- 
+2.33.0
+
--- a/patch/0136-runc-run-resolve-tmpfs-mount-dest-in-container-scope.patch
+++ b/patch/0136-runc-run-resolve-tmpfs-mount-dest-in-container-scope.patch
@ -0,0 +1,42 @@
+From c9e5582c822aca7d6ec2e1d6c494ab2370aac82f Mon Sep 17 00:00:00 2001
+From: Kir Kolyshkin <kolyshkin@gmail.com>
+Date: Mon, 4 Jan 2021 20:17:35 -0800
+Subject: [PATCH] runc run: resolve tmpfs mount dest in container scope
+
+In case a tmpfs mount path contains absolute symlinks, runc errors out
+because those symlinks are resolved in the host (rather than container)
+filesystem scope.
+
+The fix is similar to that for bind mounts -- resolve the destination
+in container rootfs scope using securejoin, and use the resolved path.
+
+A simple integration test case is added to prevent future regressions.
+
+Fixes https://github.com/opencontainers/runc/issues/2683.
+
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+---
+ libcontainer/rootfs_linux.go | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
+index b005429b..dc66d8a9 100644
+--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
+@@ -208,6 +208,13 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
+ 	case "tmpfs":
+ 		copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
+ 		tmpDir := ""
+		// dest might be an absolute symlink, so it needs
+		// to be resolved under rootfs.
+		dest, err := securejoin.SecureJoin(rootfs, m.Destination)
+		if err != nil {
+			return err
+		}
+		m.Destination = dest
+ 		stat, err := os.Stat(dest)
+ 		if err != nil {
+ 			if err := os.MkdirAll(dest, 0755); err != nil {
+-- 
+2.33.0
+
--- a/runc.spec
+++ b/runc.spec
@ -2,7 +2,7 @@

 Name: docker-runc
 Version: 1.0.0.rc3
-Release: 210
+Release: 211
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc

 %changelog
+* Wed Mar 29 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-211
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix tmpfs mount bug and blkio do not set bug
+
 * Mon Feb 13 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-210
 - Type:bugfix
 - ID:NA
--- a/series.conf
+++ b/series.conf
@ -126,3 +126,5 @@
 0132-Make-sure-signalAllProcesses-is-invoked-in-the-funct.patch
 0133-runc-seccomp-prepend-ENOSYS-stub-to-all-filters.patch
 0134-runc-fix-seccomp-add-rule-failed.patch
+0135-runc-libct-cg-fs-blkio-do-not-set-weight-0.patch
+0136-runc-run-resolve-tmpfs-mount-dest-in-container-scope.patch