From 88581c10f36464bfac5cf74165fa04411c399a0e Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Wed, 10 Mar 2021 16:19:28 -0300 Subject: [PATCH 1/7] New upstream release 1.0.0~rc93 runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc (LP: #1916485). --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 8b6c656..63cfa85 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +runc (1.0.0~rc93-0ubuntu1) UNRELEASED; urgency=medium + + * New upstream release. + - runc now has special handling for seccomp profiles to avoid making new + syscalls unusable for glibc (LP: #1916485). + + -- Lucas Kanashiro Tue, 10 Mar 2021 09:30:36 -0300 + runc (1.0.0~rc92-0ubuntu1) hirsute; urgency=medium * New upstream release. From 877e66236e9ba3089499e2a4028432e4f1821e05 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Wed, 10 Mar 2021 16:21:06 -0300 Subject: [PATCH 2/7] Remove patch addressing a bug fixed by upstream --- debian/patches/series | 1 - .../test--fix_TestGetAdditionalGroups.patch | 29 ------------------- 2 files changed, 30 deletions(-) delete mode 100644 debian/patches/test--fix_TestGetAdditionalGroups.patch diff --git a/debian/patches/series b/debian/patches/series index e9c12e4..46a8383 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,3 @@ -test--fix_TestGetAdditionalGroups.patch test--skip-Hugetlb.patch test--skip_TestFactoryNewTmpfs.patch test--skip-fs-related-cgroups-tests.patch diff --git a/debian/patches/test--fix_TestGetAdditionalGroups.patch b/debian/patches/test--fix_TestGetAdditionalGroups.patch deleted file mode 100644 index 71226bc..0000000 --- a/debian/patches/test--fix_TestGetAdditionalGroups.patch +++ /dev/null @@ -1,29 +0,0 @@ -Last-Update: 2018-06-16 -Forwarded: https://github.com/opencontainers/runc/pull/1821 -Bug-Upstream: https://github.com/opencontainers/runc/issues/941 -Author: Dmitry Smirnov -Description: fix FTBFS on i686 - src/github.com/opencontainers/runc/libcontainer/user/user_test.go:448:36: constant 2147483648 overflows int - ---- a/libcontainer/user/user_test.go -+++ b/libcontainer/user/user_test.go -@@ -445,7 +445,7 @@ - if utils.GetIntSize() > 4 { - tests = append(tests, foo{ - // groups with too large id -- groups: []string{strconv.Itoa(1 << 31)}, -+ groups: []string{strconv.Itoa( 1<<31 -1 )}, - expected: nil, - hasError: true, - }) ---- a/libcontainer/user/user.go -+++ b/libcontainer/user/user.go -@@ -471,7 +471,7 @@ - return nil, fmt.Errorf("Unable to find group %s", ag) - } - // Ensure gid is inside gid range. -- if gid < minId || gid > maxId { -+ if gid < minId || gid >= maxId { - return nil, ErrRange - } - gidMap[gid] = struct{}{} From 8250224fa0d0ce3be1b01d6ff686973dd523e977 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Wed, 10 Mar 2021 16:29:42 -0300 Subject: [PATCH 3/7] Refresh patch --- .../test--skip-fs-related-cgroups-tests.patch | 68 ++----------------- 1 file changed, 6 insertions(+), 62 deletions(-) diff --git a/debian/patches/test--skip-fs-related-cgroups-tests.patch b/debian/patches/test--skip-fs-related-cgroups-tests.patch index 9662a80..940bfa1 100644 --- a/debian/patches/test--skip-fs-related-cgroups-tests.patch +++ b/debian/patches/test--skip-fs-related-cgroups-tests.patch @@ -4,7 +4,7 @@ Description: Skip tests which rely on cgroups mountpoints on the filesystem are failing. Author: Lucas Kanashiro Forwarded: not-needed -Last-Updated: 2021-01-12 +Last-Updated: 2021-03-10 --- a/libcontainer/cgroups/fs/fs_test.go +++ b/libcontainer/cgroups/fs/fs_test.go @@ -16,63 +16,7 @@ Last-Updated: 2021-01-12 if cgroups.IsCgroup2UnifiedMode() { t.Skip("cgroup v2 is not supported") } -@@ -46,6 +47,7 @@ - } - - func TestInvalidAbsoluteCgroupPath(t *testing.T) { -+ t.Skip("UM - SIGSEGV due to invalid memory access") - if cgroups.IsCgroup2UnifiedMode() { - t.Skip("cgroup v2 is not supported") - } -@@ -81,6 +83,7 @@ - - // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent. - func TestInvalidCgroupParent(t *testing.T) { -+ t.Skip("UM - SIGSEGV due to invalid memory access") - if cgroups.IsCgroup2UnifiedMode() { - t.Skip("cgroup v2 is not supported") - } -@@ -117,6 +120,7 @@ - - // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent. - func TestInvalidAbsoluteCgroupParent(t *testing.T) { -+ t.Skip("UM - SIGSEGV due to invalid memory access") - if cgroups.IsCgroup2UnifiedMode() { - t.Skip("cgroup v2 is not supported") - } -@@ -153,6 +157,7 @@ - - // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent. - func TestInvalidCgroupName(t *testing.T) { -+ t.Skip("UM - SIGSEGV due to invalid memory access") - if cgroups.IsCgroup2UnifiedMode() { - t.Skip("cgroup v2 is not supported") - } -@@ -190,6 +195,7 @@ - - // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent. - func TestInvalidAbsoluteCgroupName(t *testing.T) { -+ t.Skip("UM - SIGSEGV due to invalid memory access") - if cgroups.IsCgroup2UnifiedMode() { - t.Skip("cgroup v2 is not supported") - } -@@ -226,6 +232,7 @@ - - // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent. - func TestInvalidCgroupNameAndParent(t *testing.T) { -+ t.Skip("UM - SIGSEGV due to invalid memory access") - if cgroups.IsCgroup2UnifiedMode() { - t.Skip("cgroup v2 is not supported") - } -@@ -262,6 +269,7 @@ - - // XXX: Remove me after we get rid of configs.Cgroup.Name and configs.Cgroup.Parent. - func TestInvalidAbsoluteCgroupNameAndParent(t *testing.T) { -+ t.Skip("UM - SIGSEGV due to invalid memory access") - if cgroups.IsCgroup2UnifiedMode() { - t.Skip("cgroup v2 is not supported") - } -@@ -297,6 +305,7 @@ +@@ -93,6 +94,7 @@ } func TestTryDefaultCgroupRoot(t *testing.T) { @@ -82,11 +26,11 @@ Last-Updated: 2021-01-12 if cgroups.IsCgroup2UnifiedMode() { --- a/libcontainer/cgroups/fscommon/fscommon_test.go +++ b/libcontainer/cgroups/fscommon/fscommon_test.go -@@ -14,6 +14,7 @@ +@@ -12,6 +12,7 @@ ) func TestWriteCgroupFileHandlesInterrupt(t *testing.T) { + t.Skip("UM - No cgroup mountpoint in memory during build time") - if cgroups.IsCgroup2UnifiedMode() { - t.Skip("cgroup v2 is not supported") - } + const ( + memoryCgroupMount = "/sys/fs/cgroup/memory" + memoryLimit = "memory.limit_in_bytes" From 31f10ab38a869edab1804552b93b6ffea9c2ae08 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Fri, 12 Mar 2021 08:43:17 -0300 Subject: [PATCH 4/7] Backport upstream patch to fix patchpbf test on armhf --- .../patches/fix-patchpbf-test-on-32-bit.patch | 74 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 75 insertions(+) create mode 100644 debian/patches/fix-patchpbf-test-on-32-bit.patch diff --git a/debian/patches/fix-patchpbf-test-on-32-bit.patch b/debian/patches/fix-patchpbf-test-on-32-bit.patch new file mode 100644 index 0000000..700794b --- /dev/null +++ b/debian/patches/fix-patchpbf-test-on-32-bit.patch @@ -0,0 +1,74 @@ +From: Aleksa Sarai +Date: Tue, 2 Feb 2021 16:30:59 -0800 +Subject: fix patchpbf test on 32-bit + +Origin: https://github.com/opencontainers/runc/pull/2768/commits/47a96495208f5dfdceabc1a2acbfa1c0517aac80 +Reviewed-By: Lucas Kanashiro +Last-Updated: 2021-03-12 +--- + libcontainer/seccomp/patchbpf/enosys_linux_test.go | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go +index 17b92af..f9a4bf6 100644 +--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go ++++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go +@@ -159,7 +159,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) + type syscallTest struct { + syscall string + sysno libseccomp.ScmpSyscall +- expected int ++ expected uint32 + } + + scmpArch, err := libseccomp.GetArchFromString(arch) +@@ -177,9 +177,9 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) + // Add explicit syscalls (whether they will return -ENOSYS + // depends on the filter rules). + for idx, syscall := range explicitSyscalls { +- expected := int(retFallthrough) ++ expected := retFallthrough + if idx >= enosysStart { +- expected = int(retErrnoEnosys) ++ expected = retErrnoEnosys + } + sysno, err := libseccomp.GetSyscallFromNameByArch(syscall, scmpArch) + if err != nil { +@@ -201,7 +201,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) + syscallTests = append(syscallTests, syscallTest{ + sysno: sysno, + syscall: syscall, +- expected: int(retFallthrough), ++ expected: retFallthrough, + }) + } + +@@ -216,7 +216,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) + syscallTests = append(syscallTests, syscallTest{ + sysno: sysno, + syscall: fmt.Sprintf("syscall_%#x", sysno), +- expected: int(retErrnoEnosys), ++ expected: retErrnoEnosys, + }) + } + +@@ -224,14 +224,17 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) + for _, test := range syscallTests { + // Override the expected value in the two special cases. + if !archSet[arch] || isAllowAction(defaultAction) { +- test.expected = int(retFallthrough) ++ test.expected = retFallthrough + } + + payload := mockSyscallPayload(t, test.sysno, nativeArch, 0x1337, 0xF00BA5) +- ret, err := filter.Run(payload) ++ // NOTE: golang.org/x/net/bpf returns int here rather ++ // than uint32. ++ rawRet, err := filter.Run(payload) + if err != nil { + t.Fatalf("error running filter: %v", err) + } ++ ret := uint32(rawRet) + if ret != test.expected { + t.Logf("mock filter for %v %v:", arches, allowedSyscalls) + for idx, insn := range program { diff --git a/debian/patches/series b/debian/patches/series index 46a8383..8c4a128 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ test--skip-Hugetlb.patch test--skip_TestFactoryNewTmpfs.patch test--skip-fs-related-cgroups-tests.patch +fix-patchpbf-test-on-32-bit.patch From ffe93bf61ed70b073ca567973a2f7d40bf7fa9b6 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Wed, 10 Mar 2021 16:31:42 -0300 Subject: [PATCH 5/7] Update changelog --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 63cfa85..83922bd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,12 @@ runc (1.0.0~rc93-0ubuntu1) UNRELEASED; urgency=medium * New upstream release. - runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc (LP: #1916485). + * Remove patch addressing a bug fixed by upstream: + - debian/patches/test--fix_TestGetAdditionalGroups.patch + * Refresh patch: + - debian/patches/test--skip-fs-related-cgroups-test.patch + * Backport upstream patch to fix patchpbf test on armhf: + - debian/patches/fix-patchpbf-test-on-32-bit.patch -- Lucas Kanashiro Tue, 10 Mar 2021 09:30:36 -0300 From d7b41d41cb6d911e0873e02e11ca10f977da5915 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Mon, 15 Mar 2021 14:31:49 -0300 Subject: [PATCH 6/7] d/changelog: add reference to the FFe bug --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 83922bd..f858fc6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ runc (1.0.0~rc93-0ubuntu1) UNRELEASED; urgency=medium - * New upstream release. + * New upstream release (LP: #1919182). - runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc (LP: #1916485). * Remove patch addressing a bug fixed by upstream: From 6bacb3f9f6f4d1c2969530838c31583930035187 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Tue, 16 Mar 2021 15:05:44 -0300 Subject: [PATCH 7/7] Release version 1.0.0~rc93-0ubuntu1 to Hirsute --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index f858fc6..1358694 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -runc (1.0.0~rc93-0ubuntu1) UNRELEASED; urgency=medium +runc (1.0.0~rc93-0ubuntu1) hirsute; urgency=medium * New upstream release (LP: #1919182). - runc now has special handling for seccomp profiles to avoid making new