From 610209278bcd7a6a41c561c9ed386e645ce660ee Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 5 Feb 2021 21:48:06 +0000 Subject: [PATCH 1/4] containerd: update to 1.4.3 Drop all backported patches and security fixes, since they are in the new release. Drop the SELinux patches, to take advantage of the improved support. Remove the socat dependency, since it is no longer used for CRI port forwarding. Signed-off-by: Ben Cressey --- ...-mountLabel-when-mounting-the-rootfs.patch | 47 -- ...logging-when-no-errors-have-occurred.patch | 14 +- ... 1002-cri-set-default-RLIMIT_NOFILE.patch} | 64 +- ...001-selinux-add-DefaultLabels-helper.patch | 98 --- ...default-SELinux-labels-as-a-fallback.patch | 44 -- ...-signal-forward-if-process-not-found.patch | 38 - ...e-SIGURG-signals-in-signal-forwarder.patch | 104 --- .../5001-Always-consume-shim-logs.patch | 65 -- packages/containerd/6001-CVE-2020-15257.patch | 684 ------------------ packages/containerd/Cargo.toml | 4 +- packages/containerd/containerd.spec | 26 +- 11 files changed, 46 insertions(+), 1142 deletions(-) delete mode 100644 packages/containerd/0001-Use-spec-s-mountLabel-when-mounting-the-rootfs.patch rename packages/containerd/{3001-cri-set-default-RLIMIT_NOFILE.patch => 1002-cri-set-default-RLIMIT_NOFILE.patch} (57%) delete mode 100644 packages/containerd/2001-selinux-add-DefaultLabels-helper.patch delete mode 100644 packages/containerd/2002-cri-use-default-SELinux-labels-as-a-fallback.patch delete mode 100644 packages/containerd/4001-Exit-signal-forward-if-process-not-found.patch delete mode 100644 packages/containerd/4002-Ignore-SIGURG-signals-in-signal-forwarder.patch delete mode 100644 packages/containerd/5001-Always-consume-shim-logs.patch delete mode 100644 packages/containerd/6001-CVE-2020-15257.patch diff --git a/packages/containerd/0001-Use-spec-s-mountLabel-when-mounting-the-rootfs.patch b/packages/containerd/0001-Use-spec-s-mountLabel-when-mounting-the-rootfs.patch deleted file mode 100644 index 495ccacf38b..00000000000 --- a/packages/containerd/0001-Use-spec-s-mountLabel-when-mounting-the-rootfs.patch +++ /dev/null @@ -1,47 +0,0 @@ -From c134a9befa59fd5ab670a9c250f74cb3e4c88844 Mon Sep 17 00:00:00 2001 -From: Darren Shepherd -Date: Mon, 24 Feb 2020 09:53:42 -0700 -Subject: [PATCH] Use spec's mountLabel when mounting the rootfs - -In NewContainer if a SnapshotKey is used and the spec has -a mountLabel specified, that mountLabel should be used to mount -the rootfs. - -Signed-off-by: Darren Shepherd ---- - container.go | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/container.go b/container.go -index fd880d0e..187934ea 100644 ---- a/container.go -+++ b/container.go -@@ -36,6 +36,7 @@ import ( - prototypes "github.com/gogo/protobuf/types" - ver "github.com/opencontainers/image-spec/specs-go" - ocispec "github.com/opencontainers/image-spec/specs-go/v1" -+ "github.com/opencontainers/selinux/go-selinux/label" - "github.com/pkg/errors" - ) - -@@ -242,7 +243,17 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N - if err != nil { - return nil, err - } -+ spec, err := c.Spec(ctx) -+ if err != nil { -+ return nil, err -+ } - for _, m := range mounts { -+ if spec.Linux != nil && spec.Linux.MountLabel != "" { -+ context := label.FormatMountLabel("", spec.Linux.MountLabel) -+ if context != "" { -+ m.Options = append(m.Options, context) -+ } -+ } - request.Rootfs = append(request.Rootfs, &types.Mount{ - Type: m.Type, - Source: m.Source, --- -2.21.0 - diff --git a/packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch b/packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch index f4769073d6c..3849b99631a 100644 --- a/packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch +++ b/packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch @@ -1,7 +1,7 @@ -From 620046d6f883433ef1d030ea9c428acbd1e71035 Mon Sep 17 00:00:00 2001 +From bc5b05e893c4f95057d881e5a7676d221ad14588 Mon Sep 17 00:00:00 2001 From: Matt Briggs Date: Wed, 1 Apr 2020 16:55:04 -0700 -Subject: [PATCH] cri: reduce logging when no errors have occurred +Subject: [PATCH 1001/1002] cri: reduce logging when no errors have occurred --- .../containerd/cri/pkg/server/container_execsync.go | 3 ++- @@ -10,10 +10,10 @@ Subject: [PATCH] cri: reduce logging when no errors have occurred 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go -index b46e6e5..36e64c0 100644 +index 1c019f651..da50ed3eb 100644 --- a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go +++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go -@@ -186,10 +186,11 @@ func (c *criService) execInContainer(ctx context.Context, id string, opts execOp +@@ -171,10 +171,11 @@ func (c *criService) execInternal(ctx context.Context, container containerd.Cont return nil, errors.Wrapf(execCtx.Err(), "timeout %v exceeded", opts.timeout) case exitRes := <-exitCh: code, _, err := exitRes.Result() @@ -27,7 +27,7 @@ index b46e6e5..36e64c0 100644 log.G(ctx).Debugf("Stream pipe for exec process %q done", execID) return &code, nil diff --git a/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go b/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go -index 8a23c13..11e1f34 100644 +index 2c2528ab6..1488dc09d 100644 --- a/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go +++ b/vendor/github.com/containerd/cri/pkg/server/instrumented_service.go @@ -247,12 +247,12 @@ func (in *instrumentedService) ExecSync(ctx context.Context, r *runtime.ExecSync @@ -46,7 +46,7 @@ index 8a23c13..11e1f34 100644 res.GetStdout(), res.GetStderr()) } diff --git a/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go b/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go -index 3b2c36a..4e868b6 100644 +index 4a695030d..f1b9ef370 100644 --- a/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go +++ b/vendor/github.com/containerd/cri/pkg/server/io/exec_io.go @@ -99,7 +99,7 @@ func (e *ExecIO) Attach(opts AttachOptions) <-chan struct{} { @@ -59,5 +59,5 @@ index 3b2c36a..4e868b6 100644 if opts.Stdout != nil { -- -2.21.0 +2.26.2 diff --git a/packages/containerd/3001-cri-set-default-RLIMIT_NOFILE.patch b/packages/containerd/1002-cri-set-default-RLIMIT_NOFILE.patch similarity index 57% rename from packages/containerd/3001-cri-set-default-RLIMIT_NOFILE.patch rename to packages/containerd/1002-cri-set-default-RLIMIT_NOFILE.patch index a291c458417..46406383774 100644 --- a/packages/containerd/3001-cri-set-default-RLIMIT_NOFILE.patch +++ b/packages/containerd/1002-cri-set-default-RLIMIT_NOFILE.patch @@ -1,26 +1,27 @@ -From 64deef11da4cf532ea9d82cc499f5174a8907e29 Mon Sep 17 00:00:00 2001 +From f6cb04298ec80f137d42689c18087e5ba942f98d Mon Sep 17 00:00:00 2001 From: Zac Mrowicki Date: Thu, 22 Oct 2020 20:44:38 +0000 -Subject: [PATCH] cri: set default RLIMIT_NOFILE +Subject: [PATCH 1002/1002] cri: set default RLIMIT_NOFILE The `cri` plugin currently inherits the limit from the default OCI spec or the containerd process. This change sets the default hard RLIMIT_NOFILE to 1048576 and the soft limit to 65536 in the OCI spec for any container spawned using `cri`. --- - vendor/github.com/containerd/cri/pkg/config/config.go | 8 ++++++++ - .../containerd/cri/pkg/containerd/opts/spec.go | 11 +++++++++++ - .../containerd/cri/pkg/server/container_create.go | 11 +++++++++++ - 3 files changed, 30 insertions(+) + vendor/github.com/containerd/cri/pkg/config/config.go | 6 ++++++ + .../containerd/cri/pkg/config/config_unix.go | 2 ++ + .../containerd/cri/pkg/containerd/opts/spec_unix.go | 11 +++++++++++ + .../cri/pkg/server/container_create_unix.go | 11 +++++++++++ + 4 files changed, 30 insertions(+) diff --git a/vendor/github.com/containerd/cri/pkg/config/config.go b/vendor/github.com/containerd/cri/pkg/config/config.go -index 7c5f9eb..772bf28 100644 +index a0c86fa76..f8f914fed 100644 --- a/vendor/github.com/containerd/cri/pkg/config/config.go +++ b/vendor/github.com/containerd/cri/pkg/config/config.go -@@ -204,6 +204,12 @@ type PluginConfig struct { - // DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true` - // when using containerd with Kubernetes <=1.11. - DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"` +@@ -252,6 +252,12 @@ type PluginConfig struct { + // isolation, security and early detection of issues in the mount configuration when using + // ReadOnlyRootFilesystem since containers won't silently mount a temporary volume. + IgnoreImageDefinedVolumes bool `toml:"ignore_image_defined_volumes" json:"ignoreImageDefinedVolumes"` + // ProcessRLimitNoFileSoft sets the soft limit of maximum file + // descriptors each container process can use. + ProcessRLimitNoFileSoft int `toml:"process_rlimit_no_file_soft" json:"process_rlimit_no_file_soft"` @@ -30,21 +31,24 @@ index 7c5f9eb..772bf28 100644 } // X509KeyPairStreaming contains the x509 configuration for streaming -@@ -271,6 +277,8 @@ func DefaultConfig() PluginConfig { - }, - MaxConcurrentDownloads: 3, - DisableProcMount: false, -+ ProcessRLimitNoFileSoft: 65536, -+ ProcessRLimitNoFileHard: 1048576, +diff --git a/vendor/github.com/containerd/cri/pkg/config/config_unix.go b/vendor/github.com/containerd/cri/pkg/config/config_unix.go +index 62ea66207..72d556103 100644 +--- a/vendor/github.com/containerd/cri/pkg/config/config_unix.go ++++ b/vendor/github.com/containerd/cri/pkg/config/config_unix.go +@@ -72,5 +72,7 @@ func DefaultConfig() PluginConfig { + TolerateMissingHugetlbController: true, + DisableHugetlbController: true, + IgnoreImageDefinedVolumes: false, ++ ProcessRLimitNoFileSoft: 65536, ++ ProcessRLimitNoFileHard: 1048576, } } - -diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go -index 0da421a..445c279 100644 ---- a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go -+++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec.go -@@ -48,6 +48,17 @@ const ( - DefaultSandboxCPUshares = 2 +diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go +index d644962d5..559dd1c5f 100644 +--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go ++++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/spec_unix.go +@@ -46,6 +46,17 @@ import ( + "github.com/containerd/cri/pkg/util" ) +// WithProcessRLimits sets the RLimits for this container process @@ -61,11 +65,11 @@ index 0da421a..445c279 100644 // WithAdditionalGIDs adds any additional groups listed for a particular user in the // /etc/groups file of the image's root filesystem to the OCI spec's additionalGids array. func WithAdditionalGIDs(userstr string) oci.SpecOpts { -diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go -index d35fff3..c665973 100644 ---- a/vendor/github.com/containerd/cri/pkg/server/container_create.go -+++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go -@@ -335,6 +335,17 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP +diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go +index 6ebebf9ad..0e089b48a 100644 +--- a/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go ++++ b/vendor/github.com/containerd/cri/pkg/server/container_create_unix.go +@@ -123,6 +123,17 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3 // this will be set based on the security context below oci.WithNewPrivileges, } @@ -84,5 +88,5 @@ index d35fff3..c665973 100644 specOpts = append(specOpts, oci.WithProcessCwd(config.GetWorkingDir())) } else if imageConfig.WorkingDir != "" { -- -2.21.0 +2.26.2 diff --git a/packages/containerd/2001-selinux-add-DefaultLabels-helper.patch b/packages/containerd/2001-selinux-add-DefaultLabels-helper.patch deleted file mode 100644 index e1e7bcccd84..00000000000 --- a/packages/containerd/2001-selinux-add-DefaultLabels-helper.patch +++ /dev/null @@ -1,98 +0,0 @@ -From b9b8e01729ea72e081c0488f21a6b7eff9836de9 Mon Sep 17 00:00:00 2001 -From: Ben Cressey -Date: Wed, 29 Apr 2020 15:10:04 +0000 -Subject: [PATCH 2001/2002] selinux: add DefaultLabels helper - -This is very similar to the existing InitLabels helper function, but -avoids allocating a new MCS label pair which would isolate containers -in a pod from each other and break compatibility. - -In v1.4.0, containerd will have support for ensuring that containers -in a pod end up sharing the MCS label pair, which should address the -compatibility problem. - -Signed-off-by: Ben Cressey ---- - .../selinux/go-selinux/label/label.go | 6 +++ - .../selinux/go-selinux/label/label_selinux.go | 48 +++++++++++++++++++ - 2 files changed, 54 insertions(+) - -diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go -index e178568..194c797 100644 ---- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go -+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label.go -@@ -2,6 +2,12 @@ - - package label - -+// DefaultLabels returns the process and file labels that should be used on the -+// system if nothing more specific is requested. -+func DefaultLabels() (string, string, error) { -+ return "", "", nil -+} -+ - // InitLabels returns the process label and file labels to be used within - // the container. A list of options can be passed into this function to alter - // the labels. -diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go -index 2730fcf..9170521 100644 ---- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go -+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go -@@ -23,6 +23,54 @@ var validOptions = map[string]bool{ - - var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together") - -+// DefaultLabels returns the process and file labels that should be used on the -+// system if nothing more specific is requested. The labels returned do not -+// need any subsequent cleanup. -+func DefaultLabels() (plabel string, mlabel string, err error) { -+ if !selinux.GetEnabled() { -+ return "", "", nil -+ } -+ -+ // The labels we get back have an MCS pair, and we need to release it -+ // since the caller won't expect to handle it. The MCS pair is shared -+ // by both labels and we only need to release it once. -+ processLabelMcs, mountLabelMcs := selinux.ContainerLabels() -+ if processLabelMcs == "" { -+ return "", "", nil -+ } -+ -+ defer func() { -+ if err != nil { -+ selinux.ReleaseLabel(processLabelMcs) -+ } -+ }() -+ -+ // Turn the labels into structures for more convenient modification. -+ pcon, err := selinux.NewContext(processLabelMcs) -+ if err != nil { -+ return "", "", err -+ } -+ -+ mcon, err := selinux.NewContext(mountLabelMcs) -+ if err != nil { -+ return "", "", err -+ } -+ -+ // We've got what we need from the original labels, which is just the -+ // user, role, and type that are defined in the OS policy, so we can -+ // release the MCS pair now. -+ selinux.ReleaseLabel(processLabelMcs) -+ -+ // Replace the level (which includes the MCS pair) with the default. -+ pcon["level"] = "s0" -+ mcon["level"] = "s0" -+ -+ processLabel := pcon.Get() -+ mountLabel := mcon.Get() -+ -+ return processLabel, mountLabel, nil -+} -+ - // InitLabels returns the process label and file labels to be used within - // the container. A list of options can be passed into this function to alter - // the labels. The labels returned will include a random MCS String, that is --- -2.21.0 - diff --git a/packages/containerd/2002-cri-use-default-SELinux-labels-as-a-fallback.patch b/packages/containerd/2002-cri-use-default-SELinux-labels-as-a-fallback.patch deleted file mode 100644 index ce887f2bd28..00000000000 --- a/packages/containerd/2002-cri-use-default-SELinux-labels-as-a-fallback.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f62026df7b3c14b7b952630a9d4ff0e4c327d82a Mon Sep 17 00:00:00 2001 -From: Ben Cressey -Date: Wed, 29 Apr 2020 15:11:37 +0000 -Subject: [PATCH 2002/2002] cri: use default SELinux labels as a fallback - -The transition rules in our SELinux policy give us a sensible default -for process labels, but there is no equivalent for mount labels. If -we do not supply the mount label as a context option for the mount, -the rootfs will not be writable. - -By convention, the default process and mount labels are found in the -policy's lxc_contexts file, which is parsed by the SELinux module. -We use our new helper function to obtain these labels while bypassing -the MCS label pair allocation. - -Signed-off-by: Ben Cressey ---- - vendor/github.com/containerd/cri/pkg/server/helpers.go | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/vendor/github.com/containerd/cri/pkg/server/helpers.go b/vendor/github.com/containerd/cri/pkg/server/helpers.go -index 572e7b9..cfac204 100644 ---- a/vendor/github.com/containerd/cri/pkg/server/helpers.go -+++ b/vendor/github.com/containerd/cri/pkg/server/helpers.go -@@ -300,14 +300,14 @@ func (c *criService) ensureImageExists(ctx context.Context, ref string, config * - - func initSelinuxOpts(selinuxOpt *runtime.SELinuxOption) (string, string, error) { - if selinuxOpt == nil { -- return "", "", nil -+ return label.DefaultLabels() - } - - // Should ignored selinuxOpts if they are incomplete. - if selinuxOpt.GetUser() == "" || - selinuxOpt.GetRole() == "" || - selinuxOpt.GetType() == "" { -- return "", "", nil -+ return label.DefaultLabels() - } - - // make sure the format of "level" is correct. --- -2.21.0 - diff --git a/packages/containerd/4001-Exit-signal-forward-if-process-not-found.patch b/packages/containerd/4001-Exit-signal-forward-if-process-not-found.patch deleted file mode 100644 index 6f43c529614..00000000000 --- a/packages/containerd/4001-Exit-signal-forward-if-process-not-found.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 11325afdb7e906c65e84009029a95011b077858f Mon Sep 17 00:00:00 2001 -From: Brian Goff -Date: Fri, 4 Sep 2020 15:51:30 -0700 -Subject: [PATCH 1/2] Exit signal forward if process not found - -Previously the signal loop can end up racing with the process exiting. -Intead of logging and continuing the loop, exit early. - -Signed-off-by: Brian Goff -(cherry picked from commit 6650510836704c3ccf2af4eca60e4e9487f91601) -Signed-off-by: Sebastiaan van Stijn ---- - cmd/ctr/commands/signals.go | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/cmd/ctr/commands/signals.go b/cmd/ctr/commands/signals.go -index 51afb0f7bd..d0c1daa9b5 100644 ---- a/cmd/ctr/commands/signals.go -+++ b/cmd/ctr/commands/signals.go -@@ -23,6 +23,7 @@ import ( - "syscall" - - "github.com/containerd/containerd" -+ "github.com/containerd/containerd/errdefs" - "github.com/sirupsen/logrus" - ) - -@@ -38,6 +39,10 @@ func ForwardAllSignals(ctx gocontext.Context, task killer) chan os.Signal { - for s := range sigc { - logrus.Debug("forwarding signal ", s) - if err := task.Kill(ctx, s.(syscall.Signal)); err != nil { -+ if errdefs.IsNotFound(err) { -+ logrus.WithError(err).Debugf("Not forwarding signal %s", s) -+ return -+ } - logrus.WithError(err).Errorf("forward signal %s", s) - } - } diff --git a/packages/containerd/4002-Ignore-SIGURG-signals-in-signal-forwarder.patch b/packages/containerd/4002-Ignore-SIGURG-signals-in-signal-forwarder.patch deleted file mode 100644 index 395ed7dabe6..00000000000 --- a/packages/containerd/4002-Ignore-SIGURG-signals-in-signal-forwarder.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 1850de7af9edd5a40e9be1c6e2b925ac993274fa Mon Sep 17 00:00:00 2001 -From: Brian Goff -Date: Fri, 4 Sep 2020 15:57:30 -0700 -Subject: [PATCH 2/2] Ignore SIGURG signals in signal forwarder - -Starting with go1.14, the go runtime hijacks SIGURG but with no way to -not send to other signal handlers. - -In practice, we get this signal frequently. -I found this while testing out go1.15 with ctr and multiple execs with -only `echo hello`. When the process exits quickly, if the previous -commit is not applied, you end up with an error message that it couldn't -forward SIGURG to the container (due to the process being gone). - -Signed-off-by: Brian Goff -(cherry picked from commit 899b4e3cb55b8e3f41d5b26d312d7c29a5b53b09) -Signed-off-by: Sebastiaan van Stijn ---- - cmd/ctr/commands/signals.go | 4 ++++ - cmd/ctr/commands/signals_linux.go | 27 +++++++++++++++++++++++++++ - cmd/ctr/commands/signals_notlinux.go | 25 +++++++++++++++++++++++++ - 3 files changed, 56 insertions(+) - create mode 100644 cmd/ctr/commands/signals_linux.go - create mode 100644 cmd/ctr/commands/signals_notlinux.go - -diff --git a/cmd/ctr/commands/signals.go b/cmd/ctr/commands/signals.go -index d0c1daa9b5..311608c26c 100644 ---- a/cmd/ctr/commands/signals.go -+++ b/cmd/ctr/commands/signals.go -@@ -37,6 +37,10 @@ func ForwardAllSignals(ctx gocontext.Context, task killer) chan os.Signal { - signal.Notify(sigc) - go func() { - for s := range sigc { -+ if canIgnoreSignal(s) { -+ logrus.Debugf("Ignoring signal %s", s) -+ continue -+ } - logrus.Debug("forwarding signal ", s) - if err := task.Kill(ctx, s.(syscall.Signal)); err != nil { - if errdefs.IsNotFound(err) { -diff --git a/cmd/ctr/commands/signals_linux.go b/cmd/ctr/commands/signals_linux.go -new file mode 100644 -index 0000000000..f41abfcfd3 ---- /dev/null -+++ b/cmd/ctr/commands/signals_linux.go -@@ -0,0 +1,27 @@ -+/* -+ Copyright The containerd Authors. -+ -+ Licensed under the Apache License, Version 2.0 (the "License"); -+ you may not use this file except in compliance with the License. -+ You may obtain a copy of the License at -+ -+ http://www.apache.org/licenses/LICENSE-2.0 -+ -+ Unless required by applicable law or agreed to in writing, software -+ distributed under the License is distributed on an "AS IS" BASIS, -+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ See the License for the specific language governing permissions and -+ limitations under the License. -+*/ -+ -+package commands -+ -+import ( -+ "os" -+ -+ "golang.org/x/sys/unix" -+) -+ -+func canIgnoreSignal(s os.Signal) bool { -+ return s == unix.SIGURG -+} -diff --git a/cmd/ctr/commands/signals_notlinux.go b/cmd/ctr/commands/signals_notlinux.go -new file mode 100644 -index 0000000000..6a9dccbc4e ---- /dev/null -+++ b/cmd/ctr/commands/signals_notlinux.go -@@ -0,0 +1,25 @@ -+//+build !linux -+ -+/* -+ Copyright The containerd Authors. -+ -+ Licensed under the Apache License, Version 2.0 (the "License"); -+ you may not use this file except in compliance with the License. -+ You may obtain a copy of the License at -+ -+ http://www.apache.org/licenses/LICENSE-2.0 -+ -+ Unless required by applicable law or agreed to in writing, software -+ distributed under the License is distributed on an "AS IS" BASIS, -+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ See the License for the specific language governing permissions and -+ limitations under the License. -+*/ -+ -+package commands -+ -+import "os" -+ -+func canIgnoreSignal(_ os.Signal) bool { -+ return false -+} diff --git a/packages/containerd/5001-Always-consume-shim-logs.patch b/packages/containerd/5001-Always-consume-shim-logs.patch deleted file mode 100644 index 1fa35e8e0b5..00000000000 --- a/packages/containerd/5001-Always-consume-shim-logs.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 42f3871864a49f492d7a3f014ea3930c5f20b14d Mon Sep 17 00:00:00 2001 -From: Brian Goff -Date: Wed, 9 Sep 2020 16:42:35 -0700 -Subject: [PATCH] Always consume shim logs - -These fifos fill up if unconsumed, so always consume them. - -Signed-off-by: Brian Goff -(cherry picked from commit dab7bd0c4549a6a012004326f7415770c23afde4) -Signed-off-by: Derek McGowan ---- - runtime/v1/shim/client/client.go | 31 +++++++++++++++++-------------- - 1 file changed, 17 insertions(+), 14 deletions(-) - -diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go -index 562ee6ca48..9653454afc 100644 ---- a/runtime/v1/shim/client/client.go -+++ b/runtime/v1/shim/client/client.go -@@ -22,6 +22,7 @@ import ( - "context" - "fmt" - "io" -+ "io/ioutil" - "net" - "os" - "os/exec" -@@ -67,22 +68,24 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa - } - defer f.Close() - -- var stdoutLog io.ReadWriteCloser -- var stderrLog io.ReadWriteCloser -- if debug { -- stdoutLog, err = v1.OpenShimStdoutLog(ctx, config.WorkDir) -- if err != nil { -- return nil, nil, errors.Wrapf(err, "failed to create stdout log") -- } -- -- stderrLog, err = v1.OpenShimStderrLog(ctx, config.WorkDir) -- if err != nil { -- return nil, nil, errors.Wrapf(err, "failed to create stderr log") -- } -+ stdoutCopy := ioutil.Discard -+ stderrCopy := ioutil.Discard -+ stdoutLog, err := v1.OpenShimStdoutLog(ctx, config.WorkDir) -+ if err != nil { -+ return nil, nil, errors.Wrapf(err, "failed to create stdout log") -+ } - -- go io.Copy(os.Stdout, stdoutLog) -- go io.Copy(os.Stderr, stderrLog) -+ stderrLog, err := v1.OpenShimStderrLog(ctx, config.WorkDir) -+ if err != nil { -+ return nil, nil, errors.Wrapf(err, "failed to create stderr log") - } -+ if debug { -+ stdoutCopy = os.Stdout -+ stderrCopy = os.Stderr -+ } -+ -+ go io.Copy(stdoutCopy, stdoutLog) -+ go io.Copy(stderrCopy, stderrLog) - - cmd, err := newCommand(binary, daemonAddress, debug, config, f, stdoutLog, stderrLog) - if err != nil { diff --git a/packages/containerd/6001-CVE-2020-15257.patch b/packages/containerd/6001-CVE-2020-15257.patch deleted file mode 100644 index fb3154c96bc..00000000000 --- a/packages/containerd/6001-CVE-2020-15257.patch +++ /dev/null @@ -1,684 +0,0 @@ -From 88bf5aa76a1422859fc3c1d4547710d3d378c0eb Mon Sep 17 00:00:00 2001 -From: Samuel Karp -Date: Fri, 13 Nov 2020 13:42:09 -0800 -Subject: [PATCH] [containerd 1.3] Fix CVE-2020-15257 - ------------------------------------------------------------------------ - -Use path based unix socket for shims - -This allows filesystem based ACLs for configuring access to the socket of a -shim. - -Co-authored-by: Samuel Karp -Signed-off-by: Samuel Karp -Signed-off-by: Michael Crosby -Signed-off-by: Michael Crosby - ------------------------------------------------------------------------ - -containerd-shim: use path-based unix socket - -This allows filesystem-based ACLs for configuring access to the socket -of a shim. - -Ported from Michael Crosby's similar patch for v2 shims. - -Signed-off-by: Samuel Karp ---- - cmd/containerd-shim/main_unix.go | 16 ++++-- - cmd/ctr/commands/shim/shim.go | 8 ++- - runtime/v1/linux/bundle.go | 15 +++-- - runtime/v1/shim/client/client.go | 94 ++++++++++++++++++++++++++---- - runtime/v2/runc/v1/service.go | 18 ++++-- - runtime/v2/runc/v2/service.go | 47 +++++++++++---- - runtime/v2/shim/shim.go | 9 ++- - runtime/v2/shim/shim_unix.go | 8 +-- - runtime/v2/shim/util.go | 2 +- - runtime/v2/shim/util_unix.go | 98 ++++++++++++++++++++++++++++---- - runtime/v2/shim/util_windows.go | 6 ++ - 11 files changed, 263 insertions(+), 58 deletions(-) - -diff --git a/cmd/containerd-shim/main_unix.go b/cmd/containerd-shim/main_unix.go -index 49f16e6ca..43bf71d4d 100644 ---- a/cmd/containerd-shim/main_unix.go -+++ b/cmd/containerd-shim/main_unix.go -@@ -71,7 +71,7 @@ var ( - func init() { - flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs") - flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim") -- flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve") -+ flag.StringVar(&socketFlag, "socket", "", "socket path to serve") - flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd") - flag.StringVar(&workdirFlag, "workdir", "", "path used to storge large temporary data") - flag.StringVar(&runtimeRootFlag, "runtime-root", process.RuncRoot, "root directory for the runtime") -@@ -202,10 +202,18 @@ func serve(ctx context.Context, server *ttrpc.Server, path string) error { - f.Close() - path = "[inherited from parent]" - } else { -- if len(path) > 106 { -- return errors.Errorf("%q: unix socket path too long (> 106)", path) -+ const ( -+ abstractSocketPrefix = "\x00" -+ socketPathLimit = 106 -+ ) -+ p := strings.TrimPrefix(path, "unix://") -+ if len(p) == len(path) { -+ p = abstractSocketPrefix + p - } -- l, err = net.Listen("unix", "\x00"+path) -+ if len(p) > socketPathLimit { -+ return errors.Errorf("%q: unix socket path too long (> %d)", p, socketPathLimit) -+ } -+ l, err = net.Listen("unix", p) - } - if err != nil { - return err -diff --git a/cmd/ctr/commands/shim/shim.go b/cmd/ctr/commands/shim/shim.go -index a5caeae2d..c210dbc6c 100644 ---- a/cmd/ctr/commands/shim/shim.go -+++ b/cmd/ctr/commands/shim/shim.go -@@ -24,6 +24,7 @@ import ( - "io/ioutil" - "net" - "path/filepath" -+ "strings" - - "github.com/containerd/console" - "github.com/containerd/containerd/cmd/ctr/commands" -@@ -240,10 +241,11 @@ func getTaskService(context *cli.Context) (task.TaskService, error) { - s1 := filepath.Join(string(filepath.Separator), "containerd-shim", ns, id, "shim.sock") - // this should not error, ctr always get a default ns - ctx := namespaces.WithNamespace(gocontext.Background(), ns) -- s2, _ := shim.SocketAddress(ctx, id) -+ s2, _ := shim.SocketAddress(ctx, context.GlobalString("address"), id) -+ s2 = strings.TrimPrefix(s2, "unix://") - -- for _, socket := range []string{s1, s2} { -- conn, err := net.Dial("unix", "\x00"+socket) -+ for _, socket := range []string{s2, "\x00" + s1} { -+ conn, err := net.Dial("unix", socket) - if err == nil { - client := ttrpc.NewClient(conn) - -diff --git a/runtime/v1/linux/bundle.go b/runtime/v1/linux/bundle.go -index e8b629b79..9d0a6c447 100644 ---- a/runtime/v1/linux/bundle.go -+++ b/runtime/v1/linux/bundle.go -@@ -91,7 +91,7 @@ func ShimRemote(c *Config, daemonAddress, cgroup string, exitHandler func()) Shi - return func(b *bundle, ns string, ropts *runctypes.RuncOptions) (shim.Config, client.Opt) { - config := b.shimConfig(ns, c, ropts) - return config, -- client.WithStart(c.Shim, b.shimAddress(ns), daemonAddress, cgroup, c.ShimDebug, exitHandler) -+ client.WithStart(c.Shim, b.shimAddress(ns, daemonAddress), daemonAddress, cgroup, c.ShimDebug, exitHandler) - } - } - -@@ -117,6 +117,11 @@ func (b *bundle) NewShimClient(ctx context.Context, namespace string, getClientO - - // Delete deletes the bundle from disk - func (b *bundle) Delete() error { -+ address, _ := b.loadAddress() -+ if address != "" { -+ // we don't care about errors here -+ client.RemoveSocket(address) -+ } - err := atomicDelete(b.path) - if err == nil { - return atomicDelete(b.workDir) -@@ -133,9 +138,11 @@ func (b *bundle) legacyShimAddress(namespace string) string { - return filepath.Join(string(filepath.Separator), "containerd-shim", namespace, b.id, "shim.sock") - } - --func (b *bundle) shimAddress(namespace string) string { -- d := sha256.Sum256([]byte(filepath.Join(namespace, b.id))) -- return filepath.Join(string(filepath.Separator), "containerd-shim", fmt.Sprintf("%x.sock", d)) -+const socketRoot = "/run/containerd" -+ -+func (b *bundle) shimAddress(namespace, socketPath string) string { -+ d := sha256.Sum256([]byte(filepath.Join(socketPath, namespace, b.id))) -+ return fmt.Sprintf("unix://%s/%x", filepath.Join(socketRoot, "s"), d) - } - - func (b *bundle) loadAddress() (string, error) { -diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go -index 72f6cc8d4..0cfbd0060 100644 ---- a/runtime/v1/shim/client/client.go -+++ b/runtime/v1/shim/client/client.go -@@ -57,9 +57,17 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa - return func(ctx context.Context, config shim.Config) (_ shimapi.ShimService, _ io.Closer, err error) { - socket, err := newSocket(address) - if err != nil { -- return nil, nil, err -+ if !eaddrinuse(err) { -+ return nil, nil, err -+ } -+ if err := RemoveSocket(address); err != nil { -+ return nil, nil, errors.Wrap(err, "remove already used socket") -+ } -+ if socket, err = newSocket(address); err != nil { -+ return nil, nil, err -+ } - } -- defer socket.Close() -+ - f, err := socket.File() - if err != nil { - return nil, nil, errors.Wrapf(err, "failed to get fd for socket %s", address) -@@ -104,6 +112,8 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa - if stderrLog != nil { - stderrLog.Close() - } -+ socket.Close() -+ RemoveSocket(address) - }() - log.G(ctx).WithFields(logrus.Fields{ - "pid": cmd.Process.Pid, -@@ -138,6 +148,26 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa - } - } - -+func eaddrinuse(err error) bool { -+ cause := errors.Cause(err) -+ netErr, ok := cause.(*net.OpError) -+ if !ok { -+ return false -+ } -+ if netErr.Op != "listen" { -+ return false -+ } -+ syscallErr, ok := netErr.Err.(*os.SyscallError) -+ if !ok { -+ return false -+ } -+ errno, ok := syscallErr.Err.(syscall.Errno) -+ if !ok { -+ return false -+ } -+ return errno == syscall.EADDRINUSE -+} -+ - // setupOOMScore gets containerd's oom score and adds +1 to it - // to ensure a shim has a lower* score than the daemons - func setupOOMScore(shimPid int) error { -@@ -210,31 +240,73 @@ func writeFile(path, address string) error { - return os.Rename(tempPath, path) - } - --func newSocket(address string) (*net.UnixListener, error) { -- if len(address) > 106 { -- return nil, errors.Errorf("%q: unix socket path too long (> 106)", address) -+const ( -+ abstractSocketPrefix = "\x00" -+ socketPathLimit = 106 -+) -+ -+type socket string -+ -+func (s socket) isAbstract() bool { -+ return !strings.HasPrefix(string(s), "unix://") -+} -+ -+func (s socket) path() string { -+ path := strings.TrimPrefix(string(s), "unix://") -+ // if there was no trim performed, we assume an abstract socket -+ if len(path) == len(s) { -+ path = abstractSocketPrefix + path - } -- l, err := net.Listen("unix", "\x00"+address) -+ return path -+} -+ -+func newSocket(address string) (*net.UnixListener, error) { -+ if len(address) > socketPathLimit { -+ return nil, errors.Errorf("%q: unix socket path too long (> %d)", address, socketPathLimit) -+ } -+ var ( -+ sock = socket(address) -+ path = sock.path() -+ ) -+ if !sock.isAbstract() { -+ if err := os.MkdirAll(filepath.Dir(path), 0600); err != nil { -+ return nil, errors.Wrapf(err, "%s", path) -+ } -+ } -+ l, err := net.Listen("unix", path) - if err != nil { -- return nil, errors.Wrapf(err, "failed to listen to abstract unix socket %q", address) -+ return nil, errors.Wrapf(err, "failed to listen to unix socket %q (abstract: %t)", address, sock.isAbstract()) -+ } -+ if err := os.Chmod(path, 0600); err != nil { -+ l.Close() -+ return nil, err - } - - return l.(*net.UnixListener), nil - } - -+// RemoveSocket removes the socket at the specified address if -+// it exists on the filesystem -+func RemoveSocket(address string) error { -+ sock := socket(address) -+ if !sock.isAbstract() { -+ return os.Remove(sock.path()) -+ } -+ return nil -+} -+ - func connect(address string, d func(string, time.Duration) (net.Conn, error)) (net.Conn, error) { - return d(address, 100*time.Second) - } - --func annonDialer(address string, timeout time.Duration) (net.Conn, error) { -- address = strings.TrimPrefix(address, "unix://") -- return net.DialTimeout("unix", "\x00"+address, timeout) -+func anonDialer(address string, timeout time.Duration) (net.Conn, error) { -+ return net.DialTimeout("unix", socket(address).path(), timeout) - } - - // WithConnect connects to an existing shim - func WithConnect(address string, onClose func()) Opt { - return func(ctx context.Context, config shim.Config) (shimapi.ShimService, io.Closer, error) { -- conn, err := connect(address, annonDialer) -+ conn, err := connect(address, anonDialer) - if err != nil { - return nil, nil, err - } -diff --git a/runtime/v2/runc/v1/service.go b/runtime/v2/runc/v1/service.go -index 21a4e3355..846f736aa 100644 ---- a/runtime/v2/runc/v1/service.go -+++ b/runtime/v2/runc/v1/service.go -@@ -134,20 +134,26 @@ func (s *service) StartShim(ctx context.Context, id, containerdBinary, container - if err != nil { - return "", err - } -- address, err := shim.SocketAddress(ctx, id) -+ address, err := shim.SocketAddress(ctx, containerdAddress, id) - if err != nil { - return "", err - } - socket, err := shim.NewSocket(address) - if err != nil { -- return "", err -+ if !shim.SocketEaddrinuse(err) { -+ return "", err -+ } -+ if err := shim.RemoveSocket(address); err != nil { -+ return "", errors.Wrap(err, "remove already used socket") -+ } -+ if socket, err = shim.NewSocket(address); err != nil { -+ return "", err -+ } - } -- defer socket.Close() - f, err := socket.File() - if err != nil { - return "", err - } -- defer f.Close() - - cmd.ExtraFiles = append(cmd.ExtraFiles, f) - -@@ -156,6 +162,7 @@ func (s *service) StartShim(ctx context.Context, id, containerdBinary, container - } - defer func() { - if err != nil { -+ _ = shim.RemoveSocket(address) - cmd.Process.Kill() - } - }() -@@ -550,6 +557,9 @@ func (s *service) Connect(ctx context.Context, r *taskAPI.ConnectRequest) (*task - func (s *service) Shutdown(ctx context.Context, r *taskAPI.ShutdownRequest) (*ptypes.Empty, error) { - s.cancel() - close(s.events) -+ if address, err := shim.ReadAddress("address"); err == nil { -+ _ = shim.RemoveSocket(address) -+ } - return empty, nil - } - -diff --git a/runtime/v2/runc/v2/service.go b/runtime/v2/runc/v2/service.go -index ff34a9c6d..d4f5192c1 100644 ---- a/runtime/v2/runc/v2/service.go -+++ b/runtime/v2/runc/v2/service.go -@@ -25,7 +25,6 @@ import ( - "os" - "os/exec" - "path/filepath" -- "strings" - "sync" - "syscall" - "time" -@@ -96,6 +95,10 @@ func New(ctx context.Context, id string, publisher shim.Publisher, shutdown func - return nil, errors.Wrap(err, "failed to initialized platform behavior") - } - go s.forward(ctx, publisher) -+ -+ if address, err := shim.ReadAddress("address"); err == nil { -+ s.shimAddress = address -+ } - return s, nil - } - -@@ -115,7 +118,8 @@ type service struct { - - containers map[string]*runc.Container - -- cancel func() -+ shimAddress string -+ cancel func() - } - - func newCommand(ctx context.Context, id, containerdBinary, containerdAddress, containerdTTRPCAddress string) (*exec.Cmd, error) { -@@ -158,7 +162,7 @@ func readSpec() (*spec, error) { - return &s, nil - } - --func (s *service) StartShim(ctx context.Context, id, containerdBinary, containerdAddress, containerdTTRPCAddress string) (string, error) { -+func (s *service) StartShim(ctx context.Context, id, containerdBinary, containerdAddress, containerdTTRPCAddress string) (_ string, retErr error) { - cmd, err := newCommand(ctx, id, containerdBinary, containerdAddress, containerdTTRPCAddress) - if err != nil { - return "", err -@@ -174,34 +178,52 @@ func (s *service) StartShim(ctx context.Context, id, containerdBinary, container - break - } - } -- address, err := shim.SocketAddress(ctx, grouping) -+ address, err := shim.SocketAddress(ctx, containerdAddress, grouping) - if err != nil { - return "", err - } -+ - socket, err := shim.NewSocket(address) - if err != nil { -- if strings.Contains(err.Error(), "address already in use") { -+ // the only time where this would happen is if there is a bug and the socket -+ // was not cleaned up in the cleanup method of the shim or we are using the -+ // grouping functionality where the new process should be run with the same -+ // shim as an existing container -+ if !shim.SocketEaddrinuse(err) { -+ return "", errors.Wrap(err, "create new shim socket") -+ } -+ if shim.CanConnect(address) { - if err := shim.WriteAddress("address", address); err != nil { -- return "", err -+ return "", errors.Wrap(err, "write existing socket for shim") - } - return address, nil - } -- return "", err -+ if err := shim.RemoveSocket(address); err != nil { -+ return "", errors.Wrap(err, "remove pre-existing socket") -+ } -+ if socket, err = shim.NewSocket(address); err != nil { -+ return "", errors.Wrap(err, "try create new shim socket 2x") -+ } - } -- defer socket.Close() -+ defer func() { -+ if retErr != nil { -+ socket.Close() -+ _ = shim.RemoveSocket(address) -+ } -+ }() - f, err := socket.File() - if err != nil { - return "", err - } -- defer f.Close() - - cmd.ExtraFiles = append(cmd.ExtraFiles, f) - - if err := cmd.Start(); err != nil { -+ f.Close() - return "", err - } - defer func() { -- if err != nil { -+ if retErr != nil { - cmd.Process.Kill() - } - }() -@@ -251,7 +273,6 @@ func (s *service) Cleanup(ctx context.Context) (*taskAPI.DeleteResponse, error) - if err != nil { - return nil, err - } -- - runtime, err := runc.ReadRuntime(path) - if err != nil { - return nil, err -@@ -610,7 +631,9 @@ func (s *service) Shutdown(ctx context.Context, r *taskAPI.ShutdownRequest) (*pt - if s.platform != nil { - s.platform.Close() - } -- -+ if s.shimAddress != "" { -+ _ = shim.RemoveSocket(s.shimAddress) -+ } - return empty, nil - } - -diff --git a/runtime/v2/shim/shim.go b/runtime/v2/shim/shim.go -index d540aa87e..b91aa54e5 100644 ---- a/runtime/v2/shim/shim.go -+++ b/runtime/v2/shim/shim.go -@@ -101,7 +101,7 @@ func parseFlags() { - flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs") - flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim") - flag.StringVar(&idFlag, "id", "", "id of the task") -- flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve") -+ flag.StringVar(&socketFlag, "socket", "", "socket path to serve") - flag.StringVar(&bundlePath, "bundle", "", "path to the bundle if not workdir") - - flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd") -@@ -183,7 +183,6 @@ func run(id string, initFunc Init, config Config) error { - ctx = context.WithValue(ctx, OptsKey{}, Opts{BundlePath: bundlePath, Debug: debugFlag}) - ctx = log.WithLogger(ctx, log.G(ctx).WithField("runtime", id)) - ctx, cancel := context.WithCancel(ctx) -- - service, err := initFunc(ctx, idFlag, publisher, cancel) - if err != nil { - return err -@@ -288,11 +287,15 @@ func serve(ctx context.Context, server *ttrpc.Server, path string) error { - return err - } - go func() { -- defer l.Close() - if err := server.Serve(ctx, l); err != nil && - !strings.Contains(err.Error(), "use of closed network connection") { - logrus.WithError(err).Fatal("containerd-shim: ttrpc server failure") - } -+ l.Close() -+ if address, err := ReadAddress("address"); err == nil { -+ _ = RemoveSocket(address) -+ } -+ - }() - return nil - } -diff --git a/runtime/v2/shim/shim_unix.go b/runtime/v2/shim/shim_unix.go -index e6dc3e02f..a712dc7a5 100644 ---- a/runtime/v2/shim/shim_unix.go -+++ b/runtime/v2/shim/shim_unix.go -@@ -58,15 +58,15 @@ func serveListener(path string) (net.Listener, error) { - l, err = net.FileListener(os.NewFile(3, "socket")) - path = "[inherited from parent]" - } else { -- if len(path) > 106 { -- return nil, errors.Errorf("%q: unix socket path too long (> 106)", path) -+ if len(path) > socketPathLimit { -+ return nil, errors.Errorf("%q: unix socket path too long (> %d)", path, socketPathLimit) - } -- l, err = net.Listen("unix", "\x00"+path) -+ l, err = net.Listen("unix", path) - } - if err != nil { - return nil, err - } -- logrus.WithField("socket", path).Debug("serving api on abstract socket") -+ logrus.WithField("socket", path).Debug("serving api on socket") - return l, nil - } - -diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go -index c8efd0dac..2bb786d90 100644 ---- a/runtime/v2/shim/util.go -+++ b/runtime/v2/shim/util.go -@@ -169,7 +169,7 @@ func WriteAddress(path, address string) error { - // ErrNoAddress is returned when the address file has no content - var ErrNoAddress = errors.New("no shim address") - --// ReadAddress returns the shim's abstract socket address from the path -+// ReadAddress returns the shim's socket address from the path - func ReadAddress(path string) (string, error) { - path, err := filepath.Abs(path) - if err != nil { -diff --git a/runtime/v2/shim/util_unix.go b/runtime/v2/shim/util_unix.go -index 7ca65033f..e707fc59b 100644 ---- a/runtime/v2/shim/util_unix.go -+++ b/runtime/v2/shim/util_unix.go -@@ -34,7 +34,10 @@ import ( - "github.com/pkg/errors" - ) - --const shimBinaryFormat = "containerd-shim-%s-%s" -+const ( -+ shimBinaryFormat = "containerd-shim-%s-%s" -+ socketPathLimit = 106 -+) - - func getSysProcAttr() *syscall.SysProcAttr { - return &syscall.SysProcAttr{ -@@ -62,20 +65,21 @@ func AdjustOOMScore(pid int) error { - return nil - } - --// SocketAddress returns an abstract socket address --func SocketAddress(ctx context.Context, id string) (string, error) { -+const socketRoot = "/run/containerd" -+ -+// SocketAddress returns a socket address -+func SocketAddress(ctx context.Context, socketPath, id string) (string, error) { - ns, err := namespaces.NamespaceRequired(ctx) - if err != nil { - return "", err - } -- d := sha256.Sum256([]byte(filepath.Join(ns, id))) -- return filepath.Join(string(filepath.Separator), "containerd-shim", fmt.Sprintf("%x.sock", d)), nil -+ d := sha256.Sum256([]byte(filepath.Join(socketPath, ns, id))) -+ return fmt.Sprintf("unix://%s/%x", filepath.Join(socketRoot, "s"), d), nil - } - --// AnonDialer returns a dialer for an abstract socket -+// AnonDialer returns a dialer for a socket - func AnonDialer(address string, timeout time.Duration) (net.Conn, error) { -- address = strings.TrimPrefix(address, "unix://") -- return net.DialTimeout("unix", "\x00"+address, timeout) -+ return net.DialTimeout("unix", socket(address).path(), timeout) - } - - func AnonReconnectDialer(address string, timeout time.Duration) (net.Conn, error) { -@@ -84,12 +88,82 @@ func AnonReconnectDialer(address string, timeout time.Duration) (net.Conn, error - - // NewSocket returns a new socket - func NewSocket(address string) (*net.UnixListener, error) { -- if len(address) > 106 { -- return nil, errors.Errorf("%q: unix socket path too long (> 106)", address) -+ var ( -+ sock = socket(address) -+ path = sock.path() -+ ) -+ if !sock.isAbstract() { -+ if err := os.MkdirAll(filepath.Dir(path), 0600); err != nil { -+ return nil, errors.Wrapf(err, "%s", path) -+ } - } -- l, err := net.Listen("unix", "\x00"+address) -+ l, err := net.Listen("unix", path) - if err != nil { -- return nil, errors.Wrapf(err, "failed to listen to abstract unix socket %q", address) -+ return nil, err -+ } -+ if err := os.Chmod(path, 0600); err != nil { -+ os.Remove(sock.path()) -+ l.Close() -+ return nil, err - } - return l.(*net.UnixListener), nil - } -+ -+const abstractSocketPrefix = "\x00" -+ -+type socket string -+ -+func (s socket) isAbstract() bool { -+ return !strings.HasPrefix(string(s), "unix://") -+} -+ -+func (s socket) path() string { -+ path := strings.TrimPrefix(string(s), "unix://") -+ // if there was no trim performed, we assume an abstract socket -+ if len(path) == len(s) { -+ path = abstractSocketPrefix + path -+ } -+ return path -+} -+ -+// RemoveSocket removes the socket at the specified address if -+// it exists on the filesystem -+func RemoveSocket(address string) error { -+ sock := socket(address) -+ if !sock.isAbstract() { -+ return os.Remove(sock.path()) -+ } -+ return nil -+} -+ -+// SocketEaddrinuse returns true if the provided error is caused by the -+// EADDRINUSE error number -+func SocketEaddrinuse(err error) bool { -+ netErr, ok := err.(*net.OpError) -+ if !ok { -+ return false -+ } -+ if netErr.Op != "listen" { -+ return false -+ } -+ syscallErr, ok := netErr.Err.(*os.SyscallError) -+ if !ok { -+ return false -+ } -+ errno, ok := syscallErr.Err.(syscall.Errno) -+ if !ok { -+ return false -+ } -+ return errno == syscall.EADDRINUSE -+} -+ -+// CanConnect returns true if the socket provided at the address -+// is accepting new connections -+func CanConnect(address string) bool { -+ conn, err := AnonDialer(address, 100*time.Millisecond) -+ if err != nil { -+ return false -+ } -+ conn.Close() -+ return true -+} -diff --git a/runtime/v2/shim/util_windows.go b/runtime/v2/shim/util_windows.go -index a94cdf250..325c29004 100644 ---- a/runtime/v2/shim/util_windows.go -+++ b/runtime/v2/shim/util_windows.go -@@ -79,3 +79,9 @@ func AnonDialer(address string, timeout time.Duration) (net.Conn, error) { - return c, nil - } - } -+ -+// RemoveSocket removes the socket at the specified address if -+// it exists on the filesystem -+func RemoveSocket(address string) error { -+ return nil -+} --- -2.29.2 - diff --git a/packages/containerd/Cargo.toml b/packages/containerd/Cargo.toml index 0875efb5853..ca1dcb62f93 100644 --- a/packages/containerd/Cargo.toml +++ b/packages/containerd/Cargo.toml @@ -9,8 +9,8 @@ build = "build.rs" path = "pkg.rs" [[package.metadata.build-package.external-files]] -url = "https://github.com/containerd/containerd/archive/v1.3.7/containerd-1.3.7.tar.gz" -sha512 = "dab23d75b3c7cb5aa766f7424d0b1d2a3e316b926ad58426d062fb6d24a998df96ceb1d92bacceee93ff908ee22401e4bb7730cf9674c81766927858c106ba76" +url = "https://github.com/containerd/containerd/archive/v1.4.3/containerd-1.4.3.tar.gz" +sha512 = "40501a45c46e4f2f6df1ce9e4142612863b400bb2e804b1e23a0b9f0b1ed3d5c83a6fcce4e70f82a4557ce0f301e2de11cf2935039cb74b8ebec0dc71752406e" [build-dependencies] glibc = { path = "../glibc" } diff --git a/packages/containerd/containerd.spec b/packages/containerd/containerd.spec index 9accdbdac60..c6b387cc356 100644 --- a/packages/containerd/containerd.spec +++ b/packages/containerd/containerd.spec @@ -2,9 +2,9 @@ %global gorepo containerd %global goimport %{goproject}/%{gorepo} -%global gover 1.3.7 +%global gover 1.4.3 %global rpmver %{gover} -%global gitrev 8fba4e9a7d01810a393d5d25a3621dc101981175 +%global gitrev 269548fa27e0089a8b8278fc4fc781d7f65a939b %global _dwz_low_mem_die_limit 0 @@ -23,30 +23,11 @@ Source5: containerd-tmpfiles.conf Source6: containerd-config-toml_vmware-dev Source1000: clarify.toml -# Upstream patch; can drop when we move to v1.4.0. -Patch0001: 0001-Use-spec-s-mountLabel-when-mounting-the-rootfs.patch - # TODO: submit this upstream. Patch1001: 1001-cri-reduce-logging-when-no-errors-have-occurred.patch -# Local patches for CRI to use the default system SELinux labels. -# TODO: these need to be reworked for the MCS changes in v1.4.0. -Patch2001: 2001-selinux-add-DefaultLabels-helper.patch -Patch2002: 2002-cri-use-default-SELinux-labels-as-a-fallback.patch - -# Local patch for CRI to override the default RLIMIT_NOFILE. # TODO: submit this upstream, including a unit test. -Patch3001: 3001-cri-set-default-RLIMIT_NOFILE.patch - -# Upstream patches; can drop when we move to 1.4.1 -Patch4001: 4001-Exit-signal-forward-if-process-not-found.patch -Patch4002: 4002-Ignore-SIGURG-signals-in-signal-forwarder.patch - -# Upstream patch; can drop when we move to 1.4.1 -Patch5001: 5001-Always-consume-shim-logs.patch - -# Upstream patch; can drop when we move to 1.3.9 or 1.4.2 -Patch6001: 6001-CVE-2020-15257.patch +Patch1002: 1002-cri-set-default-RLIMIT_NOFILE.patch BuildRequires: git BuildRequires: %{_cross_os}glibc-devel @@ -54,7 +35,6 @@ BuildRequires: %{_cross_os}libseccomp-devel Requires: %{_cross_os}cni-plugins Requires: %{_cross_os}libseccomp Requires: %{_cross_os}runc -Requires: %{_cross_os}socat Requires: %{_cross_os}systemd %description From 2f36a94aacf4c046a77db73455dd09c5a8269e23 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 19 Feb 2021 23:02:36 +0000 Subject: [PATCH 2/4] containerd: fix volume mount labels for CRI This fixes an issue where volume mounts received the `cache_t` label, which is not writable by most processes. Signed-off-by: Ben Cressey --- ...logging-when-no-errors-have-occurred.patch | 4 +- .../1002-cri-set-default-RLIMIT_NOFILE.patch | 4 +- ...l-volumes-after-copying-source-files.patch | 86 +++++++++++++++++++ packages/containerd/containerd.spec | 3 + 4 files changed, 93 insertions(+), 4 deletions(-) create mode 100644 packages/containerd/1003-cri-relabel-volumes-after-copying-source-files.patch diff --git a/packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch b/packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch index 3849b99631a..796e996031c 100644 --- a/packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch +++ b/packages/containerd/1001-cri-reduce-logging-when-no-errors-have-occurred.patch @@ -1,7 +1,7 @@ -From bc5b05e893c4f95057d881e5a7676d221ad14588 Mon Sep 17 00:00:00 2001 +From 4cbd7bccb089e6954f687b270b4383a16cfc6dec Mon Sep 17 00:00:00 2001 From: Matt Briggs Date: Wed, 1 Apr 2020 16:55:04 -0700 -Subject: [PATCH 1001/1002] cri: reduce logging when no errors have occurred +Subject: [PATCH 1001/1003] cri: reduce logging when no errors have occurred --- .../containerd/cri/pkg/server/container_execsync.go | 3 ++- diff --git a/packages/containerd/1002-cri-set-default-RLIMIT_NOFILE.patch b/packages/containerd/1002-cri-set-default-RLIMIT_NOFILE.patch index 46406383774..734bd94e729 100644 --- a/packages/containerd/1002-cri-set-default-RLIMIT_NOFILE.patch +++ b/packages/containerd/1002-cri-set-default-RLIMIT_NOFILE.patch @@ -1,7 +1,7 @@ -From f6cb04298ec80f137d42689c18087e5ba942f98d Mon Sep 17 00:00:00 2001 +From 2223c4f21880a3fe7086008f0db665da55ee1d44 Mon Sep 17 00:00:00 2001 From: Zac Mrowicki Date: Thu, 22 Oct 2020 20:44:38 +0000 -Subject: [PATCH 1002/1002] cri: set default RLIMIT_NOFILE +Subject: [PATCH 1002/1003] cri: set default RLIMIT_NOFILE The `cri` plugin currently inherits the limit from the default OCI spec or the containerd process. This change sets the default hard diff --git a/packages/containerd/1003-cri-relabel-volumes-after-copying-source-files.patch b/packages/containerd/1003-cri-relabel-volumes-after-copying-source-files.patch new file mode 100644 index 00000000000..8a1a91ada42 --- /dev/null +++ b/packages/containerd/1003-cri-relabel-volumes-after-copying-source-files.patch @@ -0,0 +1,86 @@ +From 267bdad4dfaaf40bf09514979acab10619205d9d Mon Sep 17 00:00:00 2001 +From: Ben Cressey +Date: Fri, 19 Feb 2021 22:11:12 +0000 +Subject: [PATCH 1003/1003] cri: relabel volumes after copying source files + +Otherwise the extended attributes from the source files will be used +instead of the expected label, which could prevent processes inside +the container from reading or writing to them. + +Signed-off-by: Ben Cressey +--- + .../containerd/cri/pkg/containerd/opts/container.go | 12 +++++++++++- + .../containerd/cri/pkg/server/container_create.go | 10 ++++++++-- + 2 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go +index fe199d5fb..4f0f32b4e 100644 +--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go ++++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go +@@ -29,6 +29,8 @@ import ( + "github.com/containerd/containerd/mount" + "github.com/containerd/continuity/fs" + "github.com/pkg/errors" ++ "github.com/opencontainers/selinux/go-selinux/label" ++ "golang.org/x/sys/unix" + ) + + // WithNewSnapshot wraps `containerd.WithNewSnapshot` so that if creating the +@@ -53,7 +55,7 @@ func WithNewSnapshot(id string, i containerd.Image) containerd.NewContainerOpts + // WithVolumes copies ownership of volume in rootfs to its corresponding host path. + // It doesn't update runtime spec. + // The passed in map is a host path to container path map for all volumes. +-func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts { ++func WithVolumes(volumeMounts map[string]string, mountLabel string) containerd.NewContainerOpts { + return func(ctx context.Context, client *containerd.Client, c *containers.Container) (err error) { + if c.Snapshotter == "" { + return errors.New("no snapshotter set for container") +@@ -99,6 +101,14 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts { + if err := copyExistingContents(src, host); err != nil { + return errors.Wrap(err, "taking runtime copy of volume") + } ++ ++ // Relabel the host directory after copying, since xattrs will be copied ++ // from the source and might not be correct. ++ if mountLabel != "" { ++ if err := label.Relabel(host, mountLabel, false); err != nil && err != unix.ENOTSUP { ++ return errors.Wrapf(err, "relabel %q with %q failed", host, mountLabel) ++ } ++ } + } + return nil + } +diff --git a/vendor/github.com/containerd/cri/pkg/server/container_create.go b/vendor/github.com/containerd/cri/pkg/server/container_create.go +index 12c068518..21e334121 100644 +--- a/vendor/github.com/containerd/cri/pkg/server/container_create.go ++++ b/vendor/github.com/containerd/cri/pkg/server/container_create.go +@@ -189,7 +189,11 @@ func (c *criService) CreateContainer(ctx context.Context, r *runtime.CreateConta + for _, v := range volumeMounts { + mountMap[filepath.Clean(v.HostPath)] = v.ContainerPath + } +- opts = append(opts, customopts.WithVolumes(mountMap)) ++ mountLabel := "" ++ if spec.Linux != nil { ++ mountLabel = spec.Linux.MountLabel ++ } ++ opts = append(opts, customopts.WithVolumes(mountMap, mountLabel)) + } + meta.ImageRef = image.ID + meta.StopSignal = image.ImageSpec.Config.StopSignal +@@ -292,10 +296,12 @@ func (c *criService) volumeMounts(containerRootDir string, criMounts []*runtime. + volumeID := util.GenerateID() + src := filepath.Join(containerRootDir, "volumes", volumeID) + // addOCIBindMounts will create these volumes. ++ // The volume should not be relabeled yet, since any labels will be overwritten when ++ // the contents are copied from the source. + mounts = append(mounts, &runtime.Mount{ + ContainerPath: dst, + HostPath: src, +- SelinuxRelabel: true, ++ SelinuxRelabel: false, + }) + } + return mounts +-- +2.26.2 + diff --git a/packages/containerd/containerd.spec b/packages/containerd/containerd.spec index c6b387cc356..3cef3b1f541 100644 --- a/packages/containerd/containerd.spec +++ b/packages/containerd/containerd.spec @@ -29,6 +29,9 @@ Patch1001: 1001-cri-reduce-logging-when-no-errors-have-occurred.patch # TODO: submit this upstream, including a unit test. Patch1002: 1002-cri-set-default-RLIMIT_NOFILE.patch +# TODO: rework this so it's suitable for upstream. +Patch1003: 1003-cri-relabel-volumes-after-copying-source-files.patch + BuildRequires: git BuildRequires: %{_cross_os}glibc-devel BuildRequires: %{_cross_os}libseccomp-devel From e86305fb6b2ecf7307026a09359ed7f3edb8b900 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 19 Feb 2021 23:20:44 +0000 Subject: [PATCH 3/4] runc: upgrade to 1.0.0-rc93 Set the version and commit strings for `runc -v` output. Drop the /dev/mqueue patch, which was fixed upstream: https://github.com/opencontainers/runc/pull/2558 Signed-off-by: Ben Cressey --- .../runc/0001-do-not-label-dev-mqueue.patch | 51 ------------------- packages/runc/Cargo.toml | 4 +- packages/runc/runc.spec | 21 ++++---- 3 files changed, 14 insertions(+), 62 deletions(-) delete mode 100644 packages/runc/0001-do-not-label-dev-mqueue.patch diff --git a/packages/runc/0001-do-not-label-dev-mqueue.patch b/packages/runc/0001-do-not-label-dev-mqueue.patch deleted file mode 100644 index e1d5691c481..00000000000 --- a/packages/runc/0001-do-not-label-dev-mqueue.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 2e6701d7f47c7cd8e75beb3c8669a2d6700008e2 Mon Sep 17 00:00:00 2001 -From: Ben Cressey -Date: Wed, 27 May 2020 23:01:54 +0000 -Subject: [PATCH] do not label /dev/mqueue - -The mqueue filesystem shares its label with the host, and trying to -mount it with a different label leads to an "invalid mount" warning. - -Signed-off-by: Ben Cressey ---- - libcontainer/rootfs_linux.go | 16 ++-------------- - 1 file changed, 2 insertions(+), 14 deletions(-) - -diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go -index 106c4c2..32b6575 100644 ---- a/libcontainer/rootfs_linux.go -+++ b/libcontainer/rootfs_linux.go -@@ -298,7 +298,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b - } - - switch m.Device { -- case "proc", "sysfs": -+ case "proc", "sysfs", "mqueue": - // If the destination already exists and is not a directory, we bail - // out This is to avoid mounting through a symlink or similar -- which - // has been a "fun" attack scenario in the past. -@@ -314,20 +314,8 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b - if err := os.MkdirAll(dest, 0755); err != nil { - return err - } -- // Selinux kernels do not support labeling of /proc or /sys -+ // Selinux kernels do not support labeling of /proc, /sys, or /dev/mqueue - return mountPropagate(m, rootfs, "") -- case "mqueue": -- if err := os.MkdirAll(dest, 0755); err != nil { -- return err -- } -- if err := mountPropagate(m, rootfs, mountLabel); err != nil { -- // older kernels do not support labeling of /dev/mqueue -- if err := mountPropagate(m, rootfs, ""); err != nil { -- return err -- } -- return label.SetFileLabel(dest, mountLabel) -- } -- return nil - case "tmpfs": - copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP - tmpDir := "" --- -2.21.0 - diff --git a/packages/runc/Cargo.toml b/packages/runc/Cargo.toml index a49bee5833f..f21a52f3366 100644 --- a/packages/runc/Cargo.toml +++ b/packages/runc/Cargo.toml @@ -9,8 +9,8 @@ build = "build.rs" path = "pkg.rs" [[package.metadata.build-package.external-files]] -url = "https://github.com/opencontainers/runc/archive/ff819c7e9184c13b7c2607fe6c30ae19403a7aff/runc-ff819c7e9184c13b7c2607fe6c30ae19403a7aff.tar.gz" -sha512 = "a777e0a2e8c6c9dbb507e1f4aed4092503f6b508647fd11eb58e1fbede273a5f6d3f57c71162f841e340dc3608275f499383581990ccf47a6ffd709bad23ed8c" +url = "https://github.com/opencontainers/runc/archive/12644e614e25b05da6fd08a38ffa0cfe1903fdec/runc-12644e614e25b05da6fd08a38ffa0cfe1903fdec.tar.gz" +sha512 = "babfd3ef2d18c27ba64c147037e8b48a3c9c42ed39af1cd83d887d9827f224b0de89233a61de0de81276059ed96a3e050abec4d550b20bd6905731a541266f42" [build-dependencies] glibc = { path = "../glibc" } diff --git a/packages/runc/runc.spec b/packages/runc/runc.spec index d0d134f73b9..333c8813af6 100644 --- a/packages/runc/runc.spec +++ b/packages/runc/runc.spec @@ -1,25 +1,22 @@ %global goproject github.com/opencontainers %global gorepo runc %global goimport %{goproject}/%{gorepo} -%global commit ff819c7e9184c13b7c2607fe6c30ae19403a7aff -%global shortcommit ff819c7 +%global commit 12644e614e25b05da6fd08a38ffa0cfe1903fdec +%global shortcommit 12644e6 -%global gover 1.0.0-rc92 -%global rpmver 1.0.0~rc92 +%global gover 1.0.0-rc93 +%global rpmver 1.0.0~rc93 %global _dwz_low_mem_die_limit 0 Name: %{_cross_os}%{gorepo} Version: %{rpmver} -Release: 2.%{shortcommit}%{?dist} +Release: 1.%{shortcommit}%{?dist} Summary: CLI for running Open Containers License: Apache-2.0 URL: https://%{goimport} Source0: https://%{goimport}/archive/%{commit}/%{gorepo}-%{commit}.tar.gz -# TODO: see if this can go upstream -Patch0001: 0001-do-not-label-dev-mqueue.patch - BuildRequires: git BuildRequires: %{_cross_os}glibc-devel BuildRequires: %{_cross_os}libseccomp-devel @@ -34,8 +31,14 @@ Requires: %{_cross_os}libseccomp %build %cross_go_configure %{goimport} +export LD_VERSION="-X main.version=%{gover}+bottlerocket" +export LD_COMMIT="-X main.gitCommit=%{commit}" export BUILDTAGS="ambient seccomp selinux" -go build -buildmode=pie -ldflags=-linkmode=external -tags="${BUILDTAGS}" -o bin/runc . +go build \ + -buildmode=pie \ + -ldflags="-linkmode=external ${LD_VERSION} ${LD_COMMIT}" \ + -tags="${BUILDTAGS}" \ + -o bin/runc . %install install -d %{buildroot}%{_cross_bindir} From 6847161d08b9ed25455448e3ff64ac958c1c25e4 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Wed, 17 Feb 2021 20:05:36 +0000 Subject: [PATCH 4/4] remove socat package CRI has its own implementation for port forwarding now, and there are no other packages that depend on this. Signed-off-by: Ben Cressey --- packages/Cargo.lock | 7 ---- packages/Cargo.toml | 1 - packages/socat/Cargo.toml | 16 ---------- packages/socat/build.rs | 9 ------ packages/socat/pkg.rs | 1 - packages/socat/socat.spec | 67 --------------------------------------- 6 files changed, 101 deletions(-) delete mode 100644 packages/socat/Cargo.toml delete mode 100644 packages/socat/build.rs delete mode 100644 packages/socat/pkg.rs delete mode 100644 packages/socat/socat.spec diff --git a/packages/Cargo.lock b/packages/Cargo.lock index 8372660430d..edb2a97074d 100644 --- a/packages/Cargo.lock +++ b/packages/Cargo.lock @@ -495,13 +495,6 @@ dependencies = [ name = "selinux-policy" version = "0.1.0" -[[package]] -name = "socat" -version = "0.1.0" -dependencies = [ - "glibc", -] - [[package]] name = "strace" version = "0.1.0" diff --git a/packages/Cargo.toml b/packages/Cargo.toml index a5197b6bbc4..5ee1b3e39c5 100644 --- a/packages/Cargo.toml +++ b/packages/Cargo.toml @@ -65,7 +65,6 @@ members = [ "release", "runc", "selinux-policy", - "socat", "strace", "systemd", "tcpdump", diff --git a/packages/socat/Cargo.toml b/packages/socat/Cargo.toml deleted file mode 100644 index 02584be147b..00000000000 --- a/packages/socat/Cargo.toml +++ /dev/null @@ -1,16 +0,0 @@ -[package] -name = "socat" -version = "0.1.0" -edition = "2018" -publish = false -build = "build.rs" - -[lib] -path = "pkg.rs" - -[[package.metadata.build-package.external-files]] -url = "http://www.dest-unreach.org/socat/download/socat-1.7.4.0.tar.bz2" -sha512 = "c4d166c2259271a70f81d6c4972549549c3fc60a9e47cc03eff1dd4d71c298ac39c177ae3c053dc0c97c2770fe8d157fd0bc6f2c14aef91625f868894d5d7c61" - -[build-dependencies] -glibc = { path = "../glibc" } diff --git a/packages/socat/build.rs b/packages/socat/build.rs deleted file mode 100644 index cad8999af53..00000000000 --- a/packages/socat/build.rs +++ /dev/null @@ -1,9 +0,0 @@ -use std::process::{exit, Command}; - -fn main() -> Result<(), std::io::Error> { - let ret = Command::new("buildsys").arg("build-package").status()?; - if !ret.success() { - exit(1); - } - Ok(()) -} diff --git a/packages/socat/pkg.rs b/packages/socat/pkg.rs deleted file mode 100644 index d799fb2d44c..00000000000 --- a/packages/socat/pkg.rs +++ /dev/null @@ -1 +0,0 @@ -// not used diff --git a/packages/socat/socat.spec b/packages/socat/socat.spec deleted file mode 100644 index 2d7b039e99f..00000000000 --- a/packages/socat/socat.spec +++ /dev/null @@ -1,67 +0,0 @@ -Name: %{_cross_os}socat -Version: 1.7.4.0 -Release: 1%{?dist} -Summary: Transfer data between two channels -License: GPL-2.0-only -URL: http://www.dest-unreach.org/socat/ -Source0: http://www.dest-unreach.org/socat/download/socat-%{version}.tar.bz2 -BuildRequires: %{_cross_os}glibc-devel - -%description -%{summary}. - -%prep -%autosetup -n socat-%{version} -p1 - -%build -%cross_configure \ - CFLAGS="-Wformat ${CFLAGS}" \ - --enable-help \ - --enable-ip4 \ - --enable-ip6 \ - --enable-stdio \ - --enable-tcp \ - --enable-udp \ - --disable-abstract-unixsocket \ - --disable-creat \ - --disable-exec \ - --disable-ext2 \ - --disable-fdnum \ - --disable-filan \ - --disable-file \ - --disable-fips \ - --disable-genericsocket \ - --disable-gopen \ - --disable-interface \ - --disable-listen \ - --disable-libwrap \ - --disable-openssl \ - --disable-pipe \ - --disable-proxy \ - --disable-pty \ - --disable-rawip \ - --disable-readline \ - --disable-retry \ - --disable-sctp \ - --disable-socks4 \ - --disable-socks4a \ - --disable-sycls \ - --disable-system \ - --disable-termios \ - --disable-tun \ - --disable-unix \ - -%make_build - -%install -%make_install - -%files -%license COPYING -%{_cross_attribution_file} -%{_cross_bindir}/socat -%exclude %{_cross_bindir}/filan -%exclude %{_cross_bindir}/procan -%exclude %{_cross_mandir}/* - -%changelog