Merge pull request #42388 from thaJeztah/20.10_backport_update_runc

[20.10 backport] Update runc binary to v1.0.0-rc94

container/container.go

@@ -716,6 +716,17 @@ func getSecretTargetPath(r *swarmtypes.SecretReference) string {
 	return filepath.Join(containerSecretMountPath, r.File.Name)
 }
 
+// getConfigTargetPath makes sure that config paths inside the container are
+// absolute, as required by the runtime spec, and enforced by runc >= 1.0.0-rc94.
+// see https://github.com/opencontainers/runc/issues/2928
+func getConfigTargetPath(r *swarmtypes.ConfigReference) string {
+	if filepath.IsAbs(r.File.Name) {
+		return r.File.Name
+	}
+
+	return filepath.Join(containerConfigMountPath, r.File.Name)
+}
+
 // CreateDaemonEnvironment creates a new environment variable slice for this container.
 func (container *Container) CreateDaemonEnvironment(tty bool, linkedEnv []string) []string {
 	// Setup environment

container/container_unix.go

@@ -27,6 +27,7 @@ const (
 	// for the graceful container stop before forcefully terminating it.
 	DefaultStopTimeout = 10
 
+	containerConfigMountPath = "/"
 	containerSecretMountPath = "/run/secrets"
 )
 
@@ -242,7 +243,7 @@ func (container *Container) SecretMounts() ([]Mount, error) {
 		}
 		mounts = append(mounts, Mount{
 			Source:      fPath,
-			Destination: r.File.Name,
+			Destination: getConfigTargetPath(r),
 			Writable:    false,
 		})
 	}

container/container_windows.go

@@ -12,6 +12,7 @@ import (
 )
 
 const (
+	containerConfigMountPath         = `C:\`
 	containerSecretMountPath         = `C:\ProgramData\Docker\secrets`
 	containerInternalSecretMountPath = `C:\ProgramData\Docker\internal\secrets`
 	containerInternalConfigsDirPath  = `C:\ProgramData\Docker\internal\configs`
@@ -87,7 +88,7 @@ func (container *Container) CreateConfigSymlinks() error {
 		if configRef.File == nil {
 			continue
 		}
-		resolvedPath, _, err := container.ResolvePath(configRef.File.Name)
+		resolvedPath, _, err := container.ResolvePath(getConfigTargetPath(configRef))
 		if err != nil {
 			return err
 		}

hack/dockerfile/install/runc.installer

@@ -4,7 +4,7 @@
 # The version of runc should match the version that is used by the containerd
 # version that is used. If you need to update runc, open a pull request in
 # the containerd project first, and update both after that is merged.
-: ${RUNC_COMMIT:=12644e614e25b05da6fd08a38ffa0cfe1903fdec} # v1.0.0-rc93
+: ${RUNC_COMMIT:=2c7861bc5e1b3e756392236553ec14a78a09f8bf} # v1.0.0-rc94
 
 install_runc() {
 	# If using RHEL7 kernels (3.10.0 el7), disable kmem accounting/limiting

integration-cli/docker_cli_run_unix_test.go

@@ -495,33 +495,6 @@ func (s *DockerSuite) TestRunWithInvalidCpuPeriod(c *testing.T) {
 	assert.Assert(c, strings.Contains(out, expected))
 }
 
-func (s *DockerSuite) TestRunWithKernelMemory(c *testing.T) {
-	testRequires(c, DaemonIsLinux, kernelMemorySupport)
-
-	file := "/sys/fs/cgroup/memory/memory.kmem.limit_in_bytes"
-	cli.DockerCmd(c, "run", "--kernel-memory", "50M", "--name", "test1", "busybox", "cat", file).Assert(c, icmd.Expected{
-		Out: "52428800",
-	})
-
-	cli.InspectCmd(c, "test1", cli.Format(".HostConfig.KernelMemory")).Assert(c, icmd.Expected{
-		Out: "52428800",
-	})
-}
-
-func (s *DockerSuite) TestRunWithInvalidKernelMemory(c *testing.T) {
-	testRequires(c, DaemonIsLinux, kernelMemorySupport)
-
-	out, _, err := dockerCmdWithError("run", "--kernel-memory", "2M", "busybox", "true")
-	assert.ErrorContains(c, err, "")
-	expected := "Minimum kernel memory limit allowed is 4MB"
-	assert.Assert(c, strings.Contains(out, expected))
-
-	out, _, err = dockerCmdWithError("run", "--kernel-memory", "-16m", "--name", "test2", "busybox", "echo", "test")
-	assert.ErrorContains(c, err, "")
-	expected = "invalid size"
-	assert.Assert(c, strings.Contains(out, expected))
-}
-
 func (s *DockerSuite) TestRunWithCPUShares(c *testing.T) {
 	testRequires(c, cpuShare)
 

integration-cli/docker_cli_update_unix_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/creack/pty"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
-	"github.com/docker/docker/pkg/parsers/kernel"
 	"github.com/docker/docker/testutil/request"
 	"gotest.tools/v3/assert"
 )
@@ -122,67 +121,6 @@ func (s *DockerSuite) TestUpdateContainerWithoutFlags(c *testing.T) {
 	assert.ErrorContains(c, err, "")
 }
 
-func (s *DockerSuite) TestUpdateKernelMemory(c *testing.T) {
-	testRequires(c, DaemonIsLinux, kernelMemorySupport)
-
-	name := "test-update-container"
-	dockerCmd(c, "run", "-d", "--name", name, "--kernel-memory", "50M", "busybox", "top")
-	dockerCmd(c, "update", "--kernel-memory", "100M", name)
-
-	assert.Equal(c, inspectField(c, name, "HostConfig.KernelMemory"), "104857600")
-
-	file := "/sys/fs/cgroup/memory/memory.kmem.limit_in_bytes"
-	out, _ := dockerCmd(c, "exec", name, "cat", file)
-	assert.Equal(c, strings.TrimSpace(out), "104857600")
-}
-
-func (s *DockerSuite) TestUpdateKernelMemoryUninitialized(c *testing.T) {
-	testRequires(c, DaemonIsLinux, kernelMemorySupport)
-
-	isNewKernel := CheckKernelVersion(4, 6, 0)
-	name := "test-update-container"
-	dockerCmd(c, "run", "-d", "--name", name, "busybox", "top")
-	_, _, err := dockerCmdWithError("update", "--kernel-memory", "100M", name)
-	// Update kernel memory to a running container without kernel memory initialized
-	// is not allowed before kernel version 4.6.
-	if !isNewKernel {
-		assert.ErrorContains(c, err, "")
-	} else {
-		assert.NilError(c, err)
-	}
-
-	dockerCmd(c, "pause", name)
-	_, _, err = dockerCmdWithError("update", "--kernel-memory", "200M", name)
-	if !isNewKernel {
-		assert.ErrorContains(c, err, "")
-	} else {
-		assert.NilError(c, err)
-	}
-	dockerCmd(c, "unpause", name)
-
-	dockerCmd(c, "stop", name)
-	dockerCmd(c, "update", "--kernel-memory", "300M", name)
-	dockerCmd(c, "start", name)
-
-	assert.Equal(c, inspectField(c, name, "HostConfig.KernelMemory"), "314572800")
-
-	file := "/sys/fs/cgroup/memory/memory.kmem.limit_in_bytes"
-	out, _ := dockerCmd(c, "exec", name, "cat", file)
-	assert.Equal(c, strings.TrimSpace(out), "314572800")
-}
-
-// GetKernelVersion gets the current kernel version.
-func GetKernelVersion() *kernel.VersionInfo {
-	v, _ := kernel.ParseRelease(testEnv.DaemonInfo.KernelVersion)
-	return v
-}
-
-// CheckKernelVersion checks if current kernel is newer than (or equal to)
-// the given version.
-func CheckKernelVersion(k, major, minor int) bool {
-	return kernel.CompareKernelVersion(*GetKernelVersion(), kernel.VersionInfo{Kernel: k, Major: major, Minor: minor}) >= 0
-}
-
 func (s *DockerSuite) TestUpdateSwapMemoryOnly(c *testing.T) {
 	testRequires(c, DaemonIsLinux)
 	testRequires(c, memoryLimitSupport)

integration-cli/requirements_unix_test.go

@@ -8,7 +8,6 @@ import (
 	"os/exec"
 	"strings"
 
-	"github.com/docker/docker/pkg/parsers/kernel"
 	"github.com/docker/docker/pkg/sysinfo"
 )
 
@@ -37,21 +36,6 @@ func pidsLimit() bool {
 	return SysInfo.PidsLimit
 }
 
-func kernelMemorySupport() bool {
-	// TODO remove this once kmem support in RHEL kernels is fixed. See https://github.com/opencontainers/runc/pull/1921
-	daemonV, err := kernel.ParseRelease(testEnv.DaemonInfo.KernelVersion)
-	if err != nil {
-		return false
-	}
-	requiredV := kernel.VersionInfo{Kernel: 3, Major: 10}
-	if kernel.CompareKernelVersion(*daemonV, requiredV) < 1 {
-		// On Kernel 3.10 and under, don't consider kernel memory to be supported,
-		// even if the kernel (and thus the daemon) reports it as being supported
-		return false
-	}
-	return testEnv.DaemonInfo.KernelMemory
-}
-
 func memoryLimitSupport() bool {
 	return testEnv.DaemonInfo.MemoryLimit
 }

integration/container/run_linux_test.go

@@ -2,7 +2,6 @@ package container // import "github.com/docker/docker/integration/container"
 
 import (
 	"context"
-	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -17,40 +16,6 @@ import (
 	"gotest.tools/v3/skip"
 )
 
-func TestKernelTCPMemory(t *testing.T) {
-	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
-	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.40"), "skip test from new feature")
-	skip.If(t, testEnv.DaemonInfo.CgroupDriver == "none")
-	skip.If(t, !testEnv.DaemonInfo.KernelMemoryTCP)
-
-	defer setupTest(t)()
-	client := testEnv.APIClient()
-	ctx := context.Background()
-
-	const (
-		kernelMemoryTCP int64 = 200 * 1024 * 1024
-	)
-
-	cID := container.Run(ctx, t, client, func(c *container.TestContainerConfig) {
-		c.HostConfig.Resources = containertypes.Resources{
-			KernelMemoryTCP: kernelMemoryTCP,
-		}
-	})
-
-	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
-
-	inspect, err := client.ContainerInspect(ctx, cID)
-	assert.NilError(t, err)
-	assert.Check(t, is.Equal(kernelMemoryTCP, inspect.HostConfig.KernelMemoryTCP))
-
-	res, err := container.Exec(ctx, client, cID,
-		[]string{"cat", "/sys/fs/cgroup/memory/memory.kmem.tcp.limit_in_bytes"})
-	assert.NilError(t, err)
-	assert.Assert(t, is.Len(res.Stderr(), 0))
-	assert.Equal(t, 0, res.ExitCode)
-	assert.Check(t, is.Equal(strconv.FormatInt(kernelMemoryTCP, 10), strings.TrimSpace(res.Stdout())))
-}
-
 func TestNISDomainname(t *testing.T) {
 	// Older versions of the daemon would concatenate hostname and domainname,
 	// so hostname "foobar" and domainname "baz.cyphar.com" would produce