diff --git a/VERSION-openeuler b/VERSION-openeuler index 4c8886863f01a5514cb85ae56a51eba6b9108007..1568a08fb2721003abf1bc3848b2a79c5af688b9 100644 --- a/VERSION-openeuler +++ b/VERSION-openeuler @@ -1 +1 @@ -18.09.0.105 +18.09.0.200 diff --git a/docker-engine-openeuler.spec b/docker-engine-openeuler.spec index 82f596909d32d1ada671cfef99d8a40a7fcd565c..04c3e2419d862ed185f9d12e64c838fdab4e304d 100644 --- a/docker-engine-openeuler.spec +++ b/docker-engine-openeuler.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 105 +Release: 200 Summary: The open-source application container engine Group: Tools/Docker @@ -200,6 +200,14 @@ fi %endif %changelog +* Wed Feb 9 2021 xiadanni - 18.09.0-200 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:sync bugfix and bump version to 200, bugfix include + 1. fix execCommands leak in health-check. + 2. check containerd pid before kill it. + * Mon Jan 18 2021 jingrui - 18.09.0-105 - Type:bugfix - ID:NA diff --git a/patch/0186-docker-fix-execCommands-leak-in-health-check.patch b/patch/0186-docker-fix-execCommands-leak-in-health-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..48ab5c0231e02bdca4ec327281ac495885f7b2f0 --- /dev/null +++ b/patch/0186-docker-fix-execCommands-leak-in-health-check.patch @@ -0,0 +1,67 @@ +From 83ef8cfec0df0388bb92788d9c3ec2a306ab7f20 Mon Sep 17 00:00:00 2001 +From: jingrui +Date: Wed, 20 Jan 2021 17:07:12 +0800 +Subject: [PATCH] docker: fix execCommands leak in health-check + +Change-Id: I6bd02bc4a8e08b8de58bc454be8944c73175b3ae +Signed-off-by: jingrui +--- + components/engine/daemon/daemon.go | 5 +---- + components/engine/daemon/exec/exec.go | 7 +++++++ + components/engine/daemon/health.go | 2 +- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go +index ed268d2c4f..57ad832eb2 100644 +--- a/components/engine/daemon/daemon.go ++++ b/components/engine/daemon/daemon.go +@@ -404,10 +404,6 @@ func (daemon *Daemon) restore() error { + if c.IsRunning() || c.IsPaused() { + c.RestartManager().Cancel() // manually start containers because some need to wait for swarm networking + +- c.Lock() +- daemon.initHealthMonitor(c) +- c.Unlock() +- + if c.IsPaused() && alive { + s, err := daemon.containerd.Status(context.Background(), c.ID) + if err != nil { +@@ -450,6 +446,7 @@ func (daemon *Daemon) restore() error { + + if getProbe(c) != nil { + c.Lock() ++ daemon.initHealthMonitor(c) + if err := c.CheckpointTo(daemon.containersReplica); err != nil { + logrus.WithError(err).WithField("container", c.ID). + Error("Failed to checkpoint container state") +diff --git a/components/engine/daemon/exec/exec.go b/components/engine/daemon/exec/exec.go +index 08fc87c4b0..47644fc158 100644 +--- a/components/engine/daemon/exec/exec.go ++++ b/components/engine/daemon/exec/exec.go +@@ -145,3 +145,10 @@ func (e *Store) List() []string { + e.RUnlock() + return IDs + } ++ ++func (e *Store) Size() int { ++ e.RLock() ++ num := len(e.byID) ++ e.RUnlock() ++ return num ++} +diff --git a/components/engine/daemon/health.go b/components/engine/daemon/health.go +index 5f26ee5db8..c181850309 100644 +--- a/components/engine/daemon/health.go ++++ b/components/engine/daemon/health.go +@@ -202,7 +202,7 @@ func monitor(d *Daemon, c *container.Container, stop chan struct{}, probe probe) + result, err := probe.run(ctx, d, c) + if err != nil { + healthChecksFailedCounter.Inc() +- logrus.Warnf("Health check for container %s error: %v", c.ID, err) ++ logrus.Warnf("exec-cmds=%d Health check for container %s error: %v", c.ExecCommands.Size(), c.ID, err) + results <- &types.HealthcheckResult{ + ExitCode: -1, + Output: err.Error(), +-- +2.17.1 + diff --git a/patch/0188-docker-check-containerd-pid-before-kill-it.patch b/patch/0188-docker-check-containerd-pid-before-kill-it.patch new file mode 100644 index 0000000000000000000000000000000000000000..8e623579707d9d5bed995788dec3ade04a891e59 --- /dev/null +++ b/patch/0188-docker-check-containerd-pid-before-kill-it.patch @@ -0,0 +1,121 @@ +From eda3fe6001fcf911e4630818514df6ad6531417d Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Thu, 28 Jan 2021 16:02:47 +0800 +Subject: [PATCH] docker: check containerd pid before kill it + +Signed-off-by: xiadanni +--- + .../libcontainerd/supervisor/remote_daemon.go | 6 ++++++ + .../libcontainerd/supervisor/remote_daemon_linux.go | 15 +++++++++++---- + components/engine/utils/utils.go | 21 +++++++++++++++++++++ + 3 files changed, 38 insertions(+), 4 deletions(-) + +diff --git a/components/engine/libcontainerd/supervisor/remote_daemon.go b/components/engine/libcontainerd/supervisor/remote_daemon.go +index 19582cd..5cb6de0 100644 +--- a/components/engine/libcontainerd/supervisor/remote_daemon.go ++++ b/components/engine/libcontainerd/supervisor/remote_daemon.go +@@ -18,6 +18,7 @@ import ( + "github.com/containerd/containerd" + "github.com/containerd/containerd/services/server" + "github.com/docker/docker/pkg/system" ++ "github.com/docker/docker/utils" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" +@@ -139,6 +140,11 @@ func (r *remote) getContainerdPid() (int, error) { + if err != nil { + return -1, err + } ++ ++ if !utils.IsContainerdPid(int(pid)) { ++ return -1, nil ++ } ++ + if system.IsProcessAlive(int(pid)) { + return int(pid), nil + } +diff --git a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go +index 799399c..3ccd38b 100644 +--- a/components/engine/libcontainerd/supervisor/remote_daemon_linux.go ++++ b/components/engine/libcontainerd/supervisor/remote_daemon_linux.go +@@ -8,6 +8,7 @@ import ( + + "github.com/containerd/containerd/defaults" + "github.com/docker/docker/pkg/system" ++ "github.com/docker/docker/utils" + ) + + const ( +@@ -42,7 +43,7 @@ func (r *remote) setDefaults() { + + func (r *remote) stopDaemon() { + // Ask the daemon to quit +- syscall.Kill(r.daemonPid, syscall.SIGTERM) ++ DoKillContainerd(r.daemonPid, syscall.SIGTERM) + // Wait up to 15secs for it to stop + for i := time.Duration(0); i < shutdownTimeout; i += time.Second { + if !system.IsProcessAlive(r.daemonPid) { +@@ -53,15 +54,21 @@ func (r *remote) stopDaemon() { + + if system.IsProcessAlive(r.daemonPid) { + r.logger.WithField("pid", r.daemonPid).Warn("daemon didn't stop within 15 secs, killing it") +- syscall.Kill(r.daemonPid, syscall.SIGKILL) ++ DoKillContainerd(r.daemonPid, syscall.SIGKILL) ++ } ++} ++ ++func DoKillContainerd(pid int, sig syscall.Signal) { ++ if utils.IsContainerdPid(pid) { ++ syscall.Kill(pid, sig) + } + } + + func (r *remote) killDaemon() { + // Try to get a stack trace +- syscall.Kill(r.daemonPid, syscall.SIGUSR1) ++ DoKillContainerd(r.daemonPid, syscall.SIGUSR1) + <-time.After(100 * time.Millisecond) +- system.KillProcess(r.daemonPid) ++ DoKillContainerd(r.daemonPid, syscall.SIGKILL) + } + + func (r *remote) platformCleanup() { +diff --git a/components/engine/utils/utils.go b/components/engine/utils/utils.go +index 53893fc..c394456 100644 +--- a/components/engine/utils/utils.go ++++ b/components/engine/utils/utils.go +@@ -19,6 +19,12 @@ int mysemctl(int cmd, struct seminfo *p){ + import "C" + import ( + "fmt" ++ "io/ioutil" ++ "path/filepath" ++ "strconv" ++ "strings" ++ ++ "github.com/sirupsen/logrus" + ) + + func CheckSemSetStat() (int, int, error) { +@@ -30,3 +36,18 @@ func CheckSemSetStat() (int, int, error) { + } + return int(seminfo.semusz), int(seminfo.semmni), err + } ++ ++func IsContainerdPid(pid int) bool { ++ if pid <= 1 { ++ logrus.Warnf("pid %d is not containerd", pid) ++ return false ++ } ++ ++ cmdlineBytes, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "cmdline")) ++ if err == nil && !strings.Contains(string(cmdlineBytes), "containerd") { ++ logrus.Warnf("pid %d is not containerd, cmdline: %s", pid, string(cmdlineBytes)) ++ return false ++ } ++ ++ return true ++} +-- +1.8.3.1 + diff --git a/series.conf b/series.conf index 13fd73b4201a12d790845768a07571f307dfd103..a38aaf2ea81789a0e26776235d449351362b48a3 100644 --- a/series.conf +++ b/series.conf @@ -180,4 +180,6 @@ patch/0181-docker-do-not-return-when-matched-registry-mirror.patch patch/0183-add-masked-paths-pagealloc_module-and-slaballoc_stat.patch patch/0184-docker-wait-io-with-timeout-when-process-Start-faile.patch patch/0185-docker-delete-image-reference-when-failed-to-get-ima.patch +patch/0186-docker-fix-execCommands-leak-in-health-check.patch +patch/0188-docker-check-containerd-pid-before-kill-it.patch #end