From 7394c154a92f9b4e2f8b65af74d8b5533ad7746d Mon Sep 17 00:00:00 2001 From: Bruce Ashfield Date: Wed, 3 Jul 2019 13:18:08 +0000 Subject: [PATCH] containers: update oci-systemd-hook to 0.2.0 Updating to the latest oci-systemd-hook version. We also refresh the patches, specifically the selinux patch, for the updated context. The additional cgroups mount patch needed to be tweaks for new required parameters, but is otherwise unchanged. Signed-off-by: Bruce Ashfield --- ...group-mounts-from-root-NS-automatica.patch | 26 +++++++++--------- .../0001-selinux-drop-selinux-support.patch | 27 +++++++++++-------- .../oci-systemd-hook/oci-systemd-hook_git.bb | 4 +-- 3 files changed, 31 insertions(+), 26 deletions(-) diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch index 753a77d1..b1299f50 100644 --- a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch @@ -1,6 +1,6 @@ -From f59cddcedd6535e0b809ec9b4e95672d34b41a16 Mon Sep 17 00:00:00 2001 +From f9c640fa1d4c14dfbd2bc40af91cb446ad373075 Mon Sep 17 00:00:00 2001 From: Jason Wessel -Date: Tue, 14 Nov 2017 07:41:41 -0800 +Date: Tue, 2 Jul 2019 20:51:08 +0000 Subject: [PATCH] Add additional cgroup mounts from root NS automatically Signed-off-by: Jason Wessel @@ -9,11 +9,11 @@ Signed-off-by: Jason Wessel 1 file changed, 45 insertions(+) diff --git a/src/systemdhook.c b/src/systemdhook.c -index 78575ef..f735484 100644 +index 87a3585..5220c54 100644 --- a/src/systemdhook.c +++ b/src/systemdhook.c -@@ -238,6 +238,11 @@ static char *get_process_cgroup_subsystem_path(int pid, const char *subsystem) { - static int mount_cgroup(const char *rootfs, const char *options, char *systemd_path) +@@ -281,6 +281,11 @@ static char *get_process_cgroup_subsystem_path(const char *id, int pid, const ch + static int mount_cgroup(const char *id, const char *rootfs, const char *options, char *systemd_path) { _cleanup_free_ char *cgroup_path = NULL; + char *spath, *dpath; @@ -23,9 +23,9 @@ index 78575ef..f735484 100644 + int got; if (asprintf(&cgroup_path, "%s/%s", rootfs, CGROUP_ROOT) < 0) { - pr_perror("Failed to create path for %s", CGROUP_ROOT); -@@ -256,6 +261,46 @@ static int mount_cgroup(const char *rootfs, const char *options, char *systemd_p - pr_perror("Failed to mkdir new dest: %s", systemd_path); + pr_perror("%s: Failed to create path for %s", id, CGROUP_ROOT); +@@ -290,6 +295,46 @@ static int mount_cgroup(const char *id, const char *rootfs, const char *options, + pr_perror("%s: Failed to mkdir new dest: %s", id, cgroup_path); return -1; } + /* Create all additional cgroup mounts which are in the root namespace */ @@ -59,7 +59,7 @@ index 78575ef..f735484 100644 + pr_perror("Failed to mkdir new dest: %s", dpath); + return -1; + } -+ if (bind_mount(spath, dpath, false)) { ++ if (bind_mount(id, spath, dpath, false)) { + pr_perror("Failed to bind mount %s on %s", spath, dpath); + return -1; + } @@ -68,9 +68,9 @@ index 78575ef..f735484 100644 + free(dpath); + } + closedir(dir); - if (mount(cgroup_path, cgroup_path, "bind", MS_REMOUNT|MS_BIND|MS_RDONLY, "") == -1) { - pr_perror("Failed to remount %s readonly", cgroup_path); - return -1; + /* Mount tmpfs at new cgroup directory */ + if (mount("tmpfs", cgroup_path, "tmpfs", MS_NODEV|MS_NOSUID, options) == -1) { + pr_perror("%s: Failed to mount tmpfs at %s", id, cgroup_path); -- -2.11.0 +2.19.1 diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch index 5016f6e7..a3ec57df 100644 --- a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch @@ -8,9 +8,11 @@ Signed-off-by: Bruce Ashfield src/systemdhook.c | 12 ------------ 1 file changed, 12 deletions(-) ---- a/src/systemdhook.c -+++ b/src/systemdhook.c -@@ -16,7 +16,6 @@ +Index: git/src/systemdhook.c +=================================================================== +--- git.orig/src/systemdhook.c ++++ git/src/systemdhook.c +@@ -17,7 +17,6 @@ #include #include #include @@ -18,25 +20,28 @@ Signed-off-by: Bruce Ashfield #include #include -@@ -129,9 +128,6 @@ static int chperm(const char *path, cons +@@ -166,12 +165,6 @@ closedir(dir); return -1; } -- if (setfilecon (full_path, label) < 0) { -- pr_perror("Failed to set context %s on %s", label, full_path); +- if (label != NULL && (strcmp("", label))) { +- if ((is_selinux_enabled() > 0) && (setfilecon (full_path, label) < 0)) { +- pr_perror("%s: Failed to set context %s on %s", id, label, full_path); +- } - } - +- if (doChown) { /* Change uid and gid to something the container can handle */ -@@ -496,14 +492,6 @@ static int prestart(const char *rootfs, + if (chown(full_path, uid, gid) < 0 ) { +@@ -557,14 +550,6 @@ return -1; } } - - if (strcmp("", mount_label)) { -- rc = setfilecon(journal_dir, (security_context_t)mount_label); -- if (rc < 0) { -- pr_perror("Failed to set journal dir selinux context"); +- if ((is_selinux_enabled() > 0) && +- (setfilecon(journal_dir, (security_context_t)mount_label) < 0)) { +- pr_perror("%s: Failed to set journal dir selinux context", id); - return -1; - } - } diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb b/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb index e07b7410..6734bffe 100644 --- a/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb @@ -6,14 +6,14 @@ PRIORITY = "optional" DEPENDS = "yajl util-linux" -SRCREV = "1ac958a4197a9ea52174812fc7d7d036af8140d3" +SRCREV = "05e692346ca73e022754332a7da641230dae2ffe" SRC_URI = "git://github.com/projectatomic/oci-systemd-hook \ file://0001-selinux-drop-selinux-support.patch \ file://0001-configure-drop-selinux-support.patch \ file://0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch \ " -PV = "0.0.1+git${SRCPV}" +PV = "0.2.0+git${SRCPV}" S = "${WORKDIR}/git" inherit autotools pkgconfig