From 73b48a3cb65d4017b62cba486ac2b3db2491a48a Mon Sep 17 00:00:00 2001 From: chenjiankun Date: Tue, 2 Jan 2024 18:13:20 +0800 Subject: [PATCH] docker: sync patches from upstream Sync patches from upstream, including: https://github.com/docker/docker-ce/commit/b033961a82cd48cc31e5ae891f033fe4eb184192 https://github.com/docker/docker-ce/commit/2a8341f2528b3e3a5c70f0ebf0980af3e3f70119 https://github.com/docker/docker-ce/commit/cae76642b61f2306c610c91900fd8100967197fe https://github.com/docker/docker-ce/commit/f43f820a8c0e17c76f6cb42ab07a9c526b64734c https://github.com/docker/docker-ce/commit/b1d05350ecaf98f478577246d7e17311cd4761c9 https://github.com/docker/docker-ce/commit/7a24e475b3cb5975c7fc02b2d854ae58f13bcabd https://github.com/docker/docker-ce/commit/f89fd3df7d5c4a63fed8e47ece566fa2d1db681d https://github.com/docker/docker-ce/commit/76e42601417c9bbcd7637a8b75d2d4318f6254ed https://github.com/docker/docker-ce/commit/b92585a47049e661c8dcc0956e3e5f0210b5c4f3 (cherry picked from commit 964354b6885aa28a3668ccab6cf0c458206df30b) --- VERSION-vendor | 2 +- docker.spec | 8 +- git-commit | 2 +- ...4-Fix-possible-nil-pointer-exception.patch | 59 ++++++ ...-handling-for-bind-mount-spec-parser.patch | 37 ++++ ...istence-and-also-a-potential-data-ra.patch | 59 ++++++ ...ent-make-sure-to-cancel-the-contexts.patch | 54 +++++ ...-possible-runtime-panic-in-Lgetxattr.patch | 59 ++++++ ...da-netns-db3c7e526aae966c4ccfa6c8189.patch | 191 ++++++++++++++++++ ...n_linux.go-for-preventing-off-by-one.patch | 33 +++ ...ssEndpointDelete-Fix-deadlock-betwee.patch | 73 +++++++ ...te-daemon-daemon.go-resume-healthche.patch | 55 +++++ series.conf | 9 + 13 files changed, 638 insertions(+), 3 deletions(-) create mode 100644 patch/0264-Fix-possible-nil-pointer-exception.patch create mode 100644 patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch create mode 100644 patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch create mode 100644 patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch create mode 100644 patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch create mode 100644 patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch create mode 100644 patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch create mode 100644 patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch create mode 100644 patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch diff --git a/VERSION-vendor b/VERSION-vendor index 68ceae5..17f39fc 100644 --- a/VERSION-vendor +++ b/VERSION-vendor @@ -1 +1 @@ -18.09.0.331 +18.09.0.332 diff --git a/docker.spec b/docker.spec index a0309bd..0c9caad 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 331 +Release: 332 Epoch: 2 Summary: The open-source application container engine Group: Tools/Docker @@ -213,6 +213,12 @@ fi %endif %changelog +* Tue Jan 02 2024 chenjiankun - 18.09.0-332 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:sync patches from upstream + * Thu Oct 12 2023 zhongjiawei - 18.09.0-331 - Type:bugfix - CVE:NA diff --git a/git-commit b/git-commit index ceb79cb..9b8f21b 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -27990572a4a6368c387a04649493a8a41bf26d57 +beaa44e40a303ba8af99e17da56cb9cb4dbdcf3f diff --git a/patch/0264-Fix-possible-nil-pointer-exception.patch b/patch/0264-Fix-possible-nil-pointer-exception.patch new file mode 100644 index 0000000..60954dd --- /dev/null +++ b/patch/0264-Fix-possible-nil-pointer-exception.patch @@ -0,0 +1,59 @@ +From b38955814a5c5259974e081d3abb8e7da7c1f90a Mon Sep 17 00:00:00 2001 +From: Song Zhang +Date: Mon, 18 Dec 2023 20:22:14 +0800 +Subject: [PATCH 01/10] Fix possible nil pointer exception It is possible that + the node is not yet present in the node list map. In this case just print a + warning and return. The next iteration would be fine + +Signed-off-by: Flavio Crisciani +Upstream-commit: 151f42aeaa062535246a38330a78700398de53cd +Component: engine + +Reference: https://github.com/docker/docker-ce/commit/b033961a82cd48cc31e5ae891f033fe4eb184192 + +Signed-off-by: Song Zhang +--- + .../engine/vendor/github.com/docker/libnetwork/network.go | 8 +++----- + .../github.com/docker/libnetwork/networkdb/cluster.go | 7 ++++++- + 2 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/network.go b/components/engine/vendor/github.com/docker/libnetwork/network.go +index 4940aa835..0e7890769 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/network.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/network.go +@@ -396,11 +396,9 @@ func (n *network) validateConfiguration() error { + driverOptions map[string]string + opts interface{} + ) +- switch data.(type) { +- case map[string]interface{}: +- opts = data.(map[string]interface{}) +- case map[string]string: +- opts = data.(map[string]string) ++ switch t := data.(type) { ++ case map[string]interface{}, map[string]string: ++ opts = t + } + ba, err := json.Marshal(opts) + if err != nil { +diff --git a/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go b/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go +index c98957084..2e7795440 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go +@@ -288,7 +288,12 @@ func (nDB *NetworkDB) rejoinClusterBootStrap() { + return + } + +- myself, _ := nDB.nodes[nDB.config.NodeID] ++ myself, ok := nDB.nodes[nDB.config.NodeID] ++ if !ok { ++ nDB.RUnlock() ++ logrus.Warnf("rejoinClusterBootstrap unable to find local node info using ID:%v", nDB.config.NodeID) ++ return ++ } + bootStrapIPs := make([]string, 0, len(nDB.bootStrapIP)) + for _, bootIP := range nDB.bootStrapIP { + // botostrap IPs are usually IP:port from the Join +-- +2.33.0 + diff --git a/patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch b/patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch new file mode 100644 index 0000000..741b1a7 --- /dev/null +++ b/patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch @@ -0,0 +1,37 @@ +From f1bc509fb5e58500bc3d8661d335268130e2e4a7 Mon Sep 17 00:00:00 2001 +From: Song Zhang +Date: Mon, 18 Dec 2023 20:31:18 +0800 +Subject: [PATCH 03/10] Fix error handling for bind mount spec parser. Errors + were being ignored and always telling the user that the path doesn't exist + even if it was some other problem, such as a permission error. + +Signed-off-by: Brian Goff +Upstream-commit: ebcef288343698dd86ff307f5b9c58aa52ce9fdd +Component: engine + +Reference: https://github.com/docker/docker-ce/commit/2a8341f2528b3e3a5c70f0ebf0980af3e3f70119 + +Signed-off-by: Song Zhang +--- + components/engine/volume/mounts/linux_parser.go | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/components/engine/volume/mounts/linux_parser.go b/components/engine/volume/mounts/linux_parser.go +index 8e436aec0..e276a39ce 100644 +--- a/components/engine/volume/mounts/linux_parser.go ++++ b/components/engine/volume/mounts/linux_parser.go +@@ -82,7 +82,10 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour + } + + if validateBindSourceExists { +- exists, _, _ := currentFileInfoProvider.fileInfo(mnt.Source) ++ exists, _, err := currentFileInfoProvider.fileInfo(mnt.Source) ++ if err != nil { ++ return &errMountConfig{mnt, err} ++ } + if !exists { + return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)} + } +-- +2.33.0 + diff --git a/patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch b/patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch new file mode 100644 index 0000000..f40a657 --- /dev/null +++ b/patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch @@ -0,0 +1,59 @@ +From 2d1f0bc85e2d596d7cd566fe32d85ecd394af50d Mon Sep 17 00:00:00 2001 +From: Song Zhang +Date: Mon, 18 Dec 2023 20:32:58 +0800 +Subject: [PATCH 04/10] =?UTF-8?q?Fixed=20the=20inconsistence=20and=20also?= + =?UTF-8?q?=20a=20potential=20data=20race=20in=20pkg/ioutils=E2=80=A6=20?= + =?UTF-8?q?=E2=80=A6/bytespipe.go:=20bp.closeErr=20is=20read/write=208=20t?= + =?UTF-8?q?imes;=207=20out=20of=208=20times=20it=20is=20protected=20by=20b?= + =?UTF-8?q?p.mu.Lock();=201=20out=20of=208=20times=20it=20is=20read=20with?= + =?UTF-8?q?out=20a=20Lock?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: lzhfromutsc +Upstream-commit: c2479f6ebf288fe8660ea64f51ac80cfdda3011d +Component: engine + +Reference: https://github.com/docker/docker-ce/commit/cae76642b61f2306c610c91900fd8100967197fe + +Signed-off-by: Song Zhang +--- + components/engine/pkg/ioutils/bytespipe.go | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/components/engine/pkg/ioutils/bytespipe.go b/components/engine/pkg/ioutils/bytespipe.go +index e04a5bf51..bd57e5fbb 100644 +--- a/components/engine/pkg/ioutils/bytespipe.go ++++ b/components/engine/pkg/ioutils/bytespipe.go +@@ -29,11 +29,11 @@ var ( + // and releases new byte slices to adjust to current needs, so the buffer + // won't be overgrown after peak loads. + type BytesPipe struct { +- mu sync.Mutex +- wait *sync.Cond +- buf []*fixedBuffer +- bufLen int +- closeErr error // error to return from next Read. set to nil if not closed. ++ mu sync.Mutex ++ wait *sync.Cond ++ buf []*fixedBuffer ++ bufLen int ++ closeErr error // error to return from next Read. set to nil if not closed. + readBlock bool // check read BytesPipe is Wait() or not + } + +@@ -132,8 +132,9 @@ func (bp *BytesPipe) Read(p []byte) (n int, err error) { + bp.mu.Lock() + if bp.bufLen == 0 { + if bp.closeErr != nil { ++ err := bp.closeErr + bp.mu.Unlock() +- return 0, bp.closeErr ++ return 0, err + } + bp.readBlock = true + bp.wait.Wait() +-- +2.33.0 + diff --git a/patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch b/patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch new file mode 100644 index 0000000..408e430 --- /dev/null +++ b/patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch @@ -0,0 +1,54 @@ +From 543ae0a4cbdfa0253dc1fd2b29dc957ea23fde63 Mon Sep 17 00:00:00 2001 +From: Song Zhang +Date: Mon, 18 Dec 2023 20:35:19 +0800 +Subject: [PATCH 05/10] daemon/ProcessEvent: make sure to cancel the contexts + Reported by govet linter: + +> daemon/monitor.go:57:9: lostcancel: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak (govet) +> ctx, _ := context.WithTimeout(context.Background(), 2*time.Second) +> ^ +> daemon/monitor.go:128:9: lostcancel: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak (govet) +> ctx, _ := context.WithTimeout(context.Background(), 2*time.Second) +> ^ + +Fixes: b5f288 ("Handle blocked I/O of exec'd processes") +Signed-off-by: Kir Kolyshkin +Upstream-commit: 53cbf1797b001314035a13578ed60f015a0179e4 +Component: engine + +Reference: https://github.com/docker/docker-ce/commit/f43f820a8c0e17c76f6cb42ab07a9c526b64734c + +Signed-off-by: Song Zhang +--- + components/engine/daemon/monitor.go | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/components/engine/daemon/monitor.go b/components/engine/daemon/monitor.go +index d47b51a33..7ab4d431b 100644 +--- a/components/engine/daemon/monitor.go ++++ b/components/engine/daemon/monitor.go +@@ -77,8 +77,9 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc + logrus.WithError(err).Warnf("failed to delete container %s from containerd", c.ID) + } + +- ctx, _ := context.WithTimeout(context.Background(), 2*time.Second) ++ ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + c.StreamConfig.Wait(ctx) ++ cancel() + c.Reset(false) + + exitStatus := container.ExitStatus{ +@@ -145,8 +146,9 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc + defer execConfig.Unlock() + execConfig.ExitCode = &ec + execConfig.Running = false +- ctx, _ := context.WithTimeout(context.Background(), 2*time.Second) ++ ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + execConfig.StreamConfig.Wait(ctx) ++ cancel() + if err := execConfig.CloseStreams(); err != nil { + logrus.Errorf("failed to cleanup exec %s streams: %s", c.ID, err) + } +-- +2.33.0 + diff --git a/patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch b/patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch new file mode 100644 index 0000000..350712d --- /dev/null +++ b/patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch @@ -0,0 +1,59 @@ +From 316b667f240bf2d3792188d05b8bdace294a8d2c Mon Sep 17 00:00:00 2001 +From: Sascha Grunert +Date: Wed, 4 Dec 2019 14:25:58 +0100 +Subject: [PATCH 06/10] Fix possible runtime panic in Lgetxattr + +If `unix.Lgetxattr` returns an error, then `sz == -1` which will cause a +runtime panic if `errno == unix.ERANGE`. + +Signed-off-by: Sascha Grunert +Upstream-commit: 4138cd22abeaa7d1c49a96fa4c0045feb32b847e +Component: engine + +Reference: https://github.com/docker/docker-ce/commit/b1d05350ecaf98f478577246d7e17311cd4761c9 +--- + components/engine/pkg/system/xattrs_linux.go | 21 ++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/components/engine/pkg/system/xattrs_linux.go b/components/engine/pkg/system/xattrs_linux.go +index 66d4895b2..d4f1a57fb 100644 +--- a/components/engine/pkg/system/xattrs_linux.go ++++ b/components/engine/pkg/system/xattrs_linux.go +@@ -6,19 +6,28 @@ import "golang.org/x/sys/unix" + // and associated with the given path in the file system. + // It will returns a nil slice and nil error if the xattr is not set. + func Lgetxattr(path string, attr string) ([]byte, error) { ++ // Start with a 128 length byte array + dest := make([]byte, 128) + sz, errno := unix.Lgetxattr(path, attr, dest) +- if errno == unix.ENODATA { ++ ++ switch { ++ case errno == unix.ENODATA: + return nil, nil +- } +- if errno == unix.ERANGE { ++ case errno == unix.ERANGE: ++ // 128 byte array might just not be good enough. A dummy buffer is used ++ // to get the real size of the xattrs on disk ++ sz, errno = unix.Lgetxattr(path, attr, []byte{}) ++ if errno != nil { ++ return nil, errno ++ } + dest = make([]byte, sz) + sz, errno = unix.Lgetxattr(path, attr, dest) +- } +- if errno != nil { ++ if errno != nil { ++ return nil, errno ++ } ++ case errno != nil: + return nil, errno + } +- + return dest[:sz], nil + } + +-- +2.33.0 + diff --git a/patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch b/patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch new file mode 100644 index 0000000..70d4bf7 --- /dev/null +++ b/patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch @@ -0,0 +1,191 @@ +From 7968f451470d4fb2a50335ebb593e885fc54956e Mon Sep 17 00:00:00 2001 +From: Song Zhang +Date: Mon, 18 Dec 2023 20:49:55 +0800 +Subject: [PATCH 07/10] vendor: vishvananda/netns + db3c7e526aae966c4ccfa6c8189b693d6ac5d202 Signed-off-by: Sebastiaan van Stijn + Upstream-commit: e11c7fe3ab085939d74a386d763ca3ae4c67c7a0 + Component: engine + + Reference: https://github.com/docker/docker-ce/commit/7a24e475b3cb5975c7fc02b2d854ae58f13bcabd + +Signed-off-by: Song Zhang +--- + .../github.com/vishvananda/netns/netns.go | 15 ++-- + .../vishvananda/netns/netns_linux.go | 72 +++++++++++++++---- + 2 files changed, 66 insertions(+), 21 deletions(-) + +diff --git a/components/engine/vendor/github.com/vishvananda/netns/netns.go b/components/engine/vendor/github.com/vishvananda/netns/netns.go +index 2ca0feedd..aa32ac7fd 100644 +--- a/components/engine/vendor/github.com/vishvananda/netns/netns.go ++++ b/components/engine/vendor/github.com/vishvananda/netns/netns.go +@@ -10,7 +10,8 @@ package netns + + import ( + "fmt" +- "syscall" ++ ++ "golang.org/x/sys/unix" + ) + + // NsHandle is a handle to a network namespace. It can be cast directly +@@ -24,11 +25,11 @@ func (ns NsHandle) Equal(other NsHandle) bool { + if ns == other { + return true + } +- var s1, s2 syscall.Stat_t +- if err := syscall.Fstat(int(ns), &s1); err != nil { ++ var s1, s2 unix.Stat_t ++ if err := unix.Fstat(int(ns), &s1); err != nil { + return false + } +- if err := syscall.Fstat(int(other), &s2); err != nil { ++ if err := unix.Fstat(int(other), &s2); err != nil { + return false + } + return (s1.Dev == s2.Dev) && (s1.Ino == s2.Ino) +@@ -36,11 +37,11 @@ func (ns NsHandle) Equal(other NsHandle) bool { + + // String shows the file descriptor number and its dev and inode. + func (ns NsHandle) String() string { +- var s syscall.Stat_t + if ns == -1 { + return "NS(None)" + } +- if err := syscall.Fstat(int(ns), &s); err != nil { ++ var s unix.Stat_t ++ if err := unix.Fstat(int(ns), &s); err != nil { + return fmt.Sprintf("NS(%d: unknown)", ns) + } + return fmt.Sprintf("NS(%d: %d, %d)", ns, s.Dev, s.Ino) +@@ -54,7 +55,7 @@ func (ns NsHandle) IsOpen() bool { + // Close closes the NsHandle and resets its file descriptor to -1. + // It is not safe to use an NsHandle after Close() is called. + func (ns *NsHandle) Close() error { +- if err := syscall.Close(int(*ns)); err != nil { ++ if err := unix.Close(int(*ns)); err != nil { + return err + } + (*ns) = -1 +diff --git a/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go b/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go +index abdc30829..cf1db6025 100644 +--- a/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go ++++ b/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go +@@ -1,3 +1,4 @@ ++//go:build linux + // +build linux + + package netns +@@ -6,31 +7,31 @@ import ( + "fmt" + "io/ioutil" + "os" ++ "path" + "path/filepath" + "strconv" + "strings" + "syscall" ++ ++ "golang.org/x/sys/unix" + ) + + const ( + // These constants belong in the syscall library but have not been + // added yet. +- CLONE_NEWUTS = 0x04000000 /* New utsname group? */ +- CLONE_NEWIPC = 0x08000000 /* New ipcs */ +- CLONE_NEWUSER = 0x10000000 /* New user namespace */ +- CLONE_NEWPID = 0x20000000 /* New pid namespace */ +- CLONE_NEWNET = 0x40000000 /* New network namespace */ +- CLONE_IO = 0x80000000 /* Get io context */ ++ CLONE_NEWUTS = 0x04000000 /* New utsname group? */ ++ CLONE_NEWIPC = 0x08000000 /* New ipcs */ ++ CLONE_NEWUSER = 0x10000000 /* New user namespace */ ++ CLONE_NEWPID = 0x20000000 /* New pid namespace */ ++ CLONE_NEWNET = 0x40000000 /* New network namespace */ ++ CLONE_IO = 0x80000000 /* Get io context */ ++ bindMountPath = "/run/netns" /* Bind mount path for named netns */ + ) + + // Setns sets namespace using syscall. Note that this should be a method + // in syscall but it has not been added. + func Setns(ns NsHandle, nstype int) (err error) { +- _, _, e1 := syscall.Syscall(SYS_SETNS, uintptr(ns), uintptr(nstype), 0) +- if e1 != 0 { +- err = e1 +- } +- return ++ return unix.Setns(int(ns), nstype) + } + + // Set sets the current network namespace to the namespace represented +@@ -41,21 +42,64 @@ func Set(ns NsHandle) (err error) { + + // New creates a new network namespace and returns a handle to it. + func New() (ns NsHandle, err error) { +- if err := syscall.Unshare(CLONE_NEWNET); err != nil { ++ if err := unix.Unshare(CLONE_NEWNET); err != nil { + return -1, err + } + return Get() + } + ++// NewNamed creates a new named network namespace and returns a handle to it ++func NewNamed(name string) (NsHandle, error) { ++ if _, err := os.Stat(bindMountPath); os.IsNotExist(err) { ++ err = os.MkdirAll(bindMountPath, 0755) ++ if err != nil { ++ return None(), err ++ } ++ } ++ ++ newNs, err := New() ++ if err != nil { ++ return None(), err ++ } ++ ++ namedPath := path.Join(bindMountPath, name) ++ ++ f, err := os.OpenFile(namedPath, os.O_CREATE|os.O_EXCL, 0444) ++ if err != nil { ++ return None(), err ++ } ++ f.Close() ++ ++ nsPath := fmt.Sprintf("/proc/%d/task/%d/ns/net", os.Getpid(), syscall.Gettid()) ++ err = syscall.Mount(nsPath, namedPath, "bind", syscall.MS_BIND, "") ++ if err != nil { ++ return None(), err ++ } ++ ++ return newNs, nil ++} ++ ++// DeleteNamed deletes a named network namespace ++func DeleteNamed(name string) error { ++ namedPath := path.Join(bindMountPath, name) ++ ++ err := syscall.Unmount(namedPath, syscall.MNT_DETACH) ++ if err != nil { ++ return err ++ } ++ ++ return os.Remove(namedPath) ++} ++ + // Get gets a handle to the current threads network namespace. + func Get() (NsHandle, error) { +- return GetFromThread(os.Getpid(), syscall.Gettid()) ++ return GetFromThread(os.Getpid(), unix.Gettid()) + } + + // GetFromPath gets a handle to a network namespace + // identified by the path + func GetFromPath(path string) (NsHandle, error) { +- fd, err := syscall.Open(path, syscall.O_RDONLY, 0) ++ fd, err := unix.Open(path, unix.O_RDONLY|unix.O_CLOEXEC, 0) + if err != nil { + return -1, err + } +-- +2.33.0 + diff --git a/patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch b/patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch new file mode 100644 index 0000000..885d174 --- /dev/null +++ b/patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch @@ -0,0 +1,33 @@ +From 3b9d957c2a590f54eb03b37c48e8c1a911430ed6 Mon Sep 17 00:00:00 2001 +From: Song Zhang +Date: Mon, 18 Dec 2023 20:50:54 +0800 +Subject: [PATCH 08/10] Update daemon_linux.go for preventing off-by-one Array + length should be bigger than 5, when accessing index 4 + +Signed-off-by: J-jaeyoung +Upstream-commit: 19eda6b9a2991733a7e5b8fb0c435bf55846461f +Component: engine + +Reference: https://github.com/docker/docker-ce/commit/f89fd3df7d5c4a63fed8e47ece566fa2d1db681d + +Signed-off-by: Song Zhang +--- + components/engine/daemon/daemon_linux.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/components/engine/daemon/daemon_linux.go b/components/engine/daemon/daemon_linux.go +index 6a5790b4f..ed23bf30d 100644 +--- a/components/engine/daemon/daemon_linux.go ++++ b/components/engine/daemon/daemon_linux.go +@@ -49,7 +49,7 @@ func (daemon *Daemon) cleanupMountsFromReaderByID(reader io.Reader, id string, u + regexps := getCleanPatterns(id) + sc := bufio.NewScanner(reader) + for sc.Scan() { +- if fields := strings.Fields(sc.Text()); len(fields) >= 4 { ++ if fields := strings.Fields(sc.Text()); len(fields) > 4 { + if mnt := fields[4]; strings.HasPrefix(mnt, daemon.root) { + for _, p := range regexps { + if p.MatchString(mnt) { +-- +2.33.0 + diff --git a/patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch b/patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch new file mode 100644 index 0000000..02164dd --- /dev/null +++ b/patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch @@ -0,0 +1,73 @@ +From fb353504e81196d7030710b648834ca61092f3aa Mon Sep 17 00:00:00 2001 +From: Song Zhang +Date: Mon, 18 Dec 2023 20:59:30 +0800 +Subject: [PATCH 09/10] =?UTF-8?q?libnetwork:=20processEndpointDelete:=20Fi?= + =?UTF-8?q?x=20deadlock=20between=20getSvcRecords=E2=80=A6=20=E2=80=A6=20a?= + =?UTF-8?q?nd=20processEndpointDelete?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We had some hosts with quite a bit of cycling containers that ocassionally causes docker daemons to lock up. +Most prominently `docker run` commands do not respond and nothing happens anymore. + +Looking at the stack trace the following is at least likely sometimes a cause to that: +Two goroutines g0 and g1 can race against each other: +* (g0) 1. getSvcRecords is called and calls (*network).Lock() + --> Network is locked. +* (g1) 2. processEndpointDelete is called, and calls (*controller).Lock() + --> Controller is locked +* (g1) 3. processEndpointDelete tries (*network).ID() which calls (*network).Lock(). +* (g0) 4. getSvcRecords calls (*controller).Lock(). + +3./4. are deadlocked against each other since the other goroutine holds the lock they need. + +References https://github.com/moby/libnetwork/blob/b5dc37037049d9b9ef68a3c4611e5eb1b35dd2af/network.go + +Signed-off-by: Steffen Butzer +Upstream-commit: 7c97896747726554165480d102d9e46c54334cba +Component: engine + +Reference: https://github.com/docker/docker-ce/commit/76e42601417c9bbcd7637a8b75d2d4318f6254ed + +Signed-off-by: Song Zhang +--- + .../vendor/github.com/docker/libnetwork/store.go | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/store.go b/components/engine/vendor/github.com/docker/libnetwork/store.go +index 0a7c5754d..65af83d22 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/store.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/store.go +@@ -421,11 +421,14 @@ func (c *controller) processEndpointDelete(nmap map[string]*netWatch, ep *endpoi + return + } + ++ networkID := n.ID() ++ endpointID := ep.ID() ++ + c.Lock() +- nw, ok := nmap[n.ID()] ++ nw, ok := nmap[networkID] + + if ok { +- delete(nw.localEps, ep.ID()) ++ delete(nw.localEps, endpointID) + c.Unlock() + + // Update the svc db about local endpoint leave right away +@@ -439,9 +442,9 @@ func (c *controller) processEndpointDelete(nmap map[string]*netWatch, ep *endpoi + + // This is the last container going away for the network. Destroy + // this network's svc db entry +- delete(c.svcRecords, n.ID()) ++ delete(c.svcRecords, networkID) + +- delete(nmap, n.ID()) ++ delete(nmap, networkID) + } + } + c.Unlock() +-- +2.33.0 + diff --git a/patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch b/patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch new file mode 100644 index 0000000..a279fa9 --- /dev/null +++ b/patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch @@ -0,0 +1,55 @@ +From b12d244a382c920c19a75fbc52845ef7b74fcaac Mon Sep 17 00:00:00 2001 +From: Song Zhang +Date: Mon, 18 Dec 2023 21:08:59 +0800 +Subject: [PATCH 10/10] Fixes #41871: Update daemon/daemon.go: resume + healthcheck on restore Call updateHealthMonitor for alive non-paused + containers + +Signed-off-by: Alexis Ries +Upstream-commit: 9f39889dee7d96430359d7e1f8970a88acad59e5 +Component: engine + +Reference: https://github.com/docker/docker-ce/commit/b92585a47049e661c8dcc0956e3e5f0210b5c4f3 + +Signed-off-by: Song Zhang +--- + components/engine/daemon/daemon.go | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go +index 8754492ce..80a2f54f4 100644 +--- a/components/engine/daemon/daemon.go ++++ b/components/engine/daemon/daemon.go +@@ -416,7 +416,8 @@ func (daemon *Daemon) restore() error { + if c.IsRunning() || c.IsPaused() { + c.RestartManager().Cancel() // manually start containers because some need to wait for swarm networking + +- if c.IsPaused() && alive { ++ switch { ++ case c.IsPaused() && alive: + s, err := daemon.containerd.Status(context.Background(), c.ID) + if err != nil { + logrus.WithError(err).WithField("container", c.ID). +@@ -437,6 +438,7 @@ func (daemon *Daemon) restore() error { + c.Lock() + c.Paused = false + daemon.setStateCounter(c) ++ daemon.updateHealthMonitor(c) + if err := c.CheckpointTo(daemon.containersReplica); err != nil { + logrus.WithError(err).WithField("container", c.ID). + Error("Failed to update stopped container state") +@@ -444,6 +446,11 @@ func (daemon *Daemon) restore() error { + c.Unlock() + } + } ++ case !c.IsPaused() && alive: ++ logrus.Debug("restoring healthcheck") ++ c.Lock() ++ daemon.updateHealthMonitor(c) ++ c.Unlock() + } + + if !alive { +-- +2.33.0 + diff --git a/series.conf b/series.conf index 7aa6a8a..5c73436 100644 --- a/series.conf +++ b/series.conf @@ -258,4 +258,13 @@ patch/0260-docker-repalce-unix.Rmdir-with-os.RemoveAll-when-rem.patch patch/0261-backport-client-define-a-dummy-hostname-to-use-for-local-conn.patch patch/0262-docker-remove-useless-mount-point-dir.patch patch/0263-docker-builder-fix-COPY-from-should-preserve-ownership.patch +patch/0264-Fix-possible-nil-pointer-exception.patch +patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch +patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch +patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch +patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch +patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch +patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch +patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch +patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch #end -- Gitee